CVE-2025-9485
BaseFortify
Publication date: 2025-10-04
Last updated on: 2025-10-06
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | oauth_single_sign_on | 6.26.12 |
| wordpress | miniorange-login-with-eve-online-google-facebook | 6.26.12 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-347 | The product does not verify, or incorrectly verifies, the cryptographic signature for data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the OAuth Single Sign On β SSO (OAuth Client) plugin for WordPress, versions up to and including 6.26.12. It is caused by improper verification of cryptographic signatures in the plugin's JWT token processing, specifically in the get_resource_owner_from_id_token function. Because the plugin does not properly verify or validate JWT tokens, unauthenticated attackers can exploit this flaw to bypass authentication.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can gain unauthorized access to any existing user account on the affected WordPress site, including administrator accounts in some configurations. Additionally, attackers can create arbitrary subscriber-level accounts. This can lead to full compromise of the site, including data theft, site manipulation, and denial of service.