CVE-2025-10305 – The Secure Passkeys WordPress plugin has an aut... (How to Fix)

Q: What is the severity of CVE-2025-10305?

CVE-2025-10305 has a CVSS score of 5.3 (MEDIUM). The Secure Passkeys WordPress plugin has an authorization vulnerability that allows authenticated users with Subscriber-level access or higher to view and delete passkeys without proper permission checks. This affects all WordPress sites using the plugin version 1.2.1 or earlier. Attackers can compromise passkey-based authentication systems on affected sites.

📋 TL;DR

The Secure Passkeys WordPress plugin has an authorization vulnerability that allows authenticated users with Subscriber-level access or higher to view and delete passkeys without proper permission checks. This affects all WordPress sites using the plugin version 1.2.1 or earlier. Attackers can compromise passkey-based authentication systems on affected sites.

💻 Affected Systems

Products:

Secure Passkeys WordPress Plugin

Versions: All versions up to and including 1.2.1

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the Secure Passkeys plugin enabled. Any authenticated user (Subscriber role or higher) can exploit this vulnerability.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers delete all passkeys, locking legitimate users out of their accounts and potentially enabling account takeover through passkey manipulation.

🟠

Likely Case

Attackers delete specific users' passkeys to disrupt their access or view passkey metadata to understand authentication patterns.

🟢

If Mitigated

With proper user role management and monitoring, impact is limited to minor disruption before detection.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires authenticated access but only at the lowest user level (Subscriber). Attackers need to understand WordPress REST API endpoints and plugin functionality.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version after 1.2.1

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3363280%40secure-passkeys&new=3363280%40secure-passkeys&sfp_email=&sfph_mail=#file2

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins > Installed Plugins. 3. Find Secure Passkeys plugin. 4. Click 'Update Now' if available. 5. If no update appears, manually download latest version from WordPress.org and replace plugin files.

🔧 Temporary Workarounds

Disable Plugin

all

Temporarily disable the Secure Passkeys plugin until patched

wp plugin deactivate secure-passkeys

Restrict User Registration

all

Disable new user registration to prevent attackers from obtaining Subscriber accounts

Update WordPress Settings > General > Membership to 'Anyone can register' = unchecked

🧯 If You Can't Patch

Implement web application firewall rules to block requests to vulnerable plugin endpoints
Monitor and audit user activity, especially passkey-related actions from Subscriber-level accounts

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel > Plugins > Installed Plugins for Secure Passkeys version 1.2.1 or lower

Check Version:

wp plugin get secure-passkeys --field=version

Verify Fix Applied:

Verify plugin version is higher than 1.2.1 and test passkey functionality with Subscriber account

📡 Detection & Monitoring

Log Indicators:

Unusual DELETE or GET requests to /wp-json/secure-passkeys/v1/ endpoints from Subscriber accounts
Multiple passkey deletion events in short timeframes

Network Indicators:

HTTP requests to vulnerable REST API endpoints with non-admin authentication

SIEM Query:

source="wordpress" AND (uri_path="/wp-json/secure-passkeys/v1/delete" OR uri_path="/wp-json/secure-passkeys/v1/list") AND user_role="subscriber"

📊 Metadata

CVE ID: CVE-2025-10305

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-862

EPSS Score: 0.06% exploit probability (18.9th percentile)

Published: September 20, 2025

Last Updated: September 22, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-10305, you might also want to check these: