CVE-2025-9485

9.8 CRITICAL

Authentication Bypass

📋 TL;DR

The OAuth Single Sign On plugin for WordPress has a critical authentication bypass vulnerability. Unauthenticated attackers can forge JWT tokens to gain access to any user account, including administrators, or create arbitrary subscriber accounts. All WordPress sites using vulnerable plugin versions are affected.

💻 Affected Systems

Products:

• OAuth Single Sign On – SSO (OAuth Client) WordPress plugin

Versions: Up to and including 6.26.12

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: All configurations using vulnerable versions are affected. Risk highest when plugin is active and configured for OAuth authentication.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

1. Review the CVE details at NVD
2. Check vendor security advisories for your specific version
3. Test if the vulnerability is exploitable in your environment
4. Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site compromise: attackers gain administrative access, install backdoors, exfiltrate data, deface site, or use as attack platform.

🟠

Likely Case

Unauthorized access to user accounts, privilege escalation to admin, data theft, or site takeover.

🟢

If Mitigated

Limited impact if plugin disabled or patched quickly, but initial access still possible during exposure window.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires crafting malicious JWT tokens but is straightforward for attackers with basic web security knowledge.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 6.26.13 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3360768/miniorange-login-with-eve-online-google-facebook

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'OAuth Single Sign On – SSO (OAuth Client)'. 4. Click 'Update Now' if update available. 5. Verify version is 6.26.13 or higher.

🔧 Temporary Workarounds

Disable vulnerable plugin

all

Temporarily disable the OAuth SSO plugin until patched

Copy

wp plugin deactivate miniorange-login-with-eve-online-google-facebook

Restrict access to OAuth endpoints

linux

Block access to plugin authentication endpoints via web application firewall or .htaccess

Copy

# Add to .htaccess:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/miniorange-login-with-eve-online-google-facebook/.*
RewriteRule ^ - [F,L]
</IfModule>

🧯 If You Can't Patch

• Disable the OAuth SSO plugin immediately and use alternative authentication methods
• Implement IP whitelisting for admin areas and monitor for unauthorized authentication attempts

🔍 How to Verify

Check if Vulnerable:

Copy

Check WordPress admin → Plugins → OAuth Single Sign On plugin version. If version ≤6.26.12, you are vulnerable.

Check Version:

Copy

wp plugin get miniorange-login-with-eve-online-google-facebook --field=version

Verify Fix Applied:

Copy

Verify plugin version is ≥6.26.13 in WordPress admin panel and test OAuth login functionality works correctly.

📡 Detection & Monitoring

Log Indicators:

• Unusual authentication patterns via OAuth endpoints
• Multiple failed login attempts followed by successful OAuth authentication
• User account creation from unexpected IP addresses

Network Indicators:

• HTTP POST requests to /wp-content/plugins/miniorange-login-with-eve-online-google-facebook/ with crafted JWT tokens
• Unusual traffic to OAuth callback endpoints

SIEM Query:

Copy

source="wordpress" AND (uri_path="/wp-content/plugins/miniorange-login-with-eve-online-google-facebook/" OR plugin_name="miniorange-login-with-eve-online-google-facebook") AND (event_type="authentication" OR event_type="user_creation")

📊 Metadata

CVE ID: CVE-2025-9485

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-347

EPSS Score: 0.56% exploit probability (67.7th percentile)

Published: October 4, 2025

Last Updated: October 6, 2025

🔗 References

• https://plugins.trac.wordpress.org/browser/miniorange-login-with-eve-online-google-facebook/tags/6.26.12/class-mooauth-widget.php#L577
• https://plugins.trac.wordpress.org/changeset/3360768/miniorange-login-with-eve-online-google-facebook
• https://www.wordfence.com/threat-intel/vulnerabilities/id/d2448afc-70d1-4dd5-b73b-62d182ee9a8a?source=cve

📤 Share & Export

Twitter LinkedIn Reddit Copy Link

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-9485, you might also want to check these:

CVE-2022-24884 10.0

This vulnerability in ecdsautils allows attackers to forge ECDSA signatures by providing zero-value ...

Same vulnerability type (CWE-347)

CVE-2023-25574 10.0

CVE-2023-25574 is a critical authentication bypass vulnerability in jupyterhub-ltiauthenticator's LT...

Same vulnerability type (CWE-347)

CVE-2024-45409 10.0

CVE-2024-45409 is a critical authentication bypass vulnerability in the Ruby SAML library where SAML...

Same vulnerability type (CWE-347)