CVE-2025-10294
📋 TL;DR
The OwnID Passwordless Login plugin for WordPress has an authentication bypass vulnerability that allows unauthenticated attackers to log in as any user, including administrators, on sites where the plugin hasn't been fully configured. This occurs because the plugin fails to properly validate the JWT authentication secret. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- OwnID Passwordless Login for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover by unauthenticated attackers who can gain administrative access, modify content, install malicious plugins/themes, and potentially compromise the entire WordPress installation and server.
Likely Case
Unauthenticated attackers gain administrative access to vulnerable WordPress sites, allowing them to deface websites, steal sensitive data, or install backdoors for persistent access.
If Mitigated
No impact if the plugin is properly configured with a shared secret or if the vulnerable version is not installed.
🎯 Exploit Status
The vulnerability is straightforward to exploit once identified, requiring minimal technical skill to craft malicious JWT tokens.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.3.5 or later
Vendor Advisory: https://wordpress.org/plugins/ownid-passwordless-login/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find OwnID Passwordless Login. 4. Click 'Update Now' if available, or download version 1.3.5+ from WordPress.org and upload manually. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Disable the plugin
allTemporarily disable the vulnerable plugin until it can be updated
wp plugin deactivate ownid-passwordless-login
Set a dummy shared secret
allConfigure the plugin with any non-empty shared secret value
Update wp_options table: UPDATE wp_options SET option_value = 'temporary_secret' WHERE option_name = 'ownid_shared_secret'
🧯 If You Can't Patch
- Immediately disable the OwnID Passwordless Login plugin via WordPress admin or command line
- Implement web application firewall rules to block requests containing ownid authentication parameters
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin > Plugins > Installed Plugins for OwnID Passwordless Login version 1.3.4 or earlierCheck Version:
wp plugin get ownid-passwordless-login --field=versionVerify Fix Applied:
Verify plugin version is 1.3.5 or later in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual authentication attempts via /wp-json/ownid/ endpoints
- Multiple failed login attempts followed by successful admin login from same IP
- User privilege escalation logs
Network Indicators:
- HTTP POST requests to /wp-json/ownid/v1/authenticate with JWT tokens
- Unusual traffic patterns to admin areas from new IP addresses
SIEM Query:
source="wordpress.log" AND (uri_path="/wp-json/ownid/v1/authenticate" OR plugin="ownid-passwordless-login")