CVE-2025-9485

CVE-2025-9485, published on 2025-10-04, affects the OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress in versions up to and including 6.26.12. The vulnerability involves improper verification of cryptographic signature (CWE-347), caused by the plugin performing unsafe JWT token processing without verification or validation in the `get_resource_owner_from_id_token` function. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity.

Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no user interaction. Successful exploitation allows bypassing authentication to access any existing user account—including administrators in certain configurations—or to create arbitrary subscriber-level accounts.

Advisories and patches reference the vulnerable code in `class-mooauth-widget.php` at line 577 of version tag 6.26.12, a fix in changeset 3360768 of the plugin repository, and a Wordfence threat intelligence report detailing the issue.