CVE-2025-10294
Published: 15 October 2025
Description
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Security Summary
CVE-2025-10294 is an authentication bypass vulnerability in the OwnID Passwordless Login plugin for WordPress, affecting all versions up to and including 1.3.4. The flaw occurs because the plugin fails to check if the ownid_shared_secret value is empty before authenticating users via JWT tokens, published on 2025-10-15 with a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and mapped to CWE-288.
Unauthenticated attackers can exploit this vulnerability over the network with low attack complexity and no user interaction or privileges required. On WordPress instances where the plugin has not been fully configured, attackers can log in as any other user, including administrators, achieving high confidentiality, integrity, and availability impacts.
Advisories from Wordfence and the WordPress plugin directory provide further details on the vulnerability at https://www.wordfence.com/threat-intel/vulnerabilities/id/b8dd6008-e9b8-4a87-b1c7-0dc272850cbd?source=cve and https://wordpress.org/plugins/ownid-passwordless-login/, respectively.
Details
- CWE(s)
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The vulnerability is an authentication bypass in a public-facing WordPress plugin, allowing unauthenticated remote attackers to log in as any user including administrators, directly enabling exploitation of a public-facing application.