CVE-2025-9485 Overview
The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress contains a critical authentication bypass vulnerability due to improper verification of cryptographic signatures. Versions up to and including 6.26.12 perform unsafe JWT token processing without proper verification or validation in the get_resource_owner_from_id_token function. This flaw allows unauthenticated attackers to bypass authentication mechanisms entirely, potentially gaining access to any existing user account—including administrator accounts in certain configurations—or creating arbitrary subscriber-level accounts.
Critical Impact
Unauthenticated attackers can bypass authentication to take over any user account, including administrators, or create malicious accounts without authorization.
Affected Products
- OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress versions up to and including 6.26.12
- WordPress sites using miniOrange OAuth Client plugin (miniorange-login-with-eve-online-google-facebook)
Discovery Timeline
- 2025-10-04 - CVE-2025-9485 published to NVD
- 2025-10-06 - Last updated in NVD database
Technical Details for CVE-2025-9485
Vulnerability Analysis
This vulnerability stems from a fundamental failure in JWT (JSON Web Token) processing within the plugin's authentication flow. The get_resource_owner_from_id_token function in class-mooauth-widget.php accepts and processes JWT tokens without verifying their cryptographic signatures. JWT tokens are typically composed of three parts: header, payload, and signature. The signature component exists specifically to ensure the token's integrity and authenticity. By skipping signature verification, the plugin accepts any JWT token—including those crafted by attackers with arbitrary claims.
An attacker can construct a malicious JWT token containing claims that impersonate any user in the WordPress system. Since the signature is never validated, the plugin trusts the forged token's claims, allowing the attacker to authenticate as that user. This is particularly dangerous in configurations where administrator accounts can be targeted, as it provides complete site takeover capabilities.
Root Cause
The root cause is classified under CWE-347 (Improper Verification of Cryptographic Signature). The vulnerable function processes ID tokens from OAuth providers without validating the JWT signature against the provider's public key. This represents a severe deviation from secure JWT handling practices, where signature verification is mandatory to ensure token authenticity. The plugin essentially trusts any well-formed JWT structure without confirming it originated from a legitimate identity provider.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability remotely by:
- Crafting a JWT token with forged claims (e.g., email address or user ID matching a target account)
- Sending the malicious token to the WordPress site's OAuth callback endpoint
- The plugin processes the token without signature verification
- Authentication succeeds with the attacker assuming the identity specified in the forged claims
The vulnerability in the get_resource_owner_from_id_token function at line 577 of class-mooauth-widget.php accepts the JWT payload without calling signature verification routines. This allows attackers to craft tokens claiming to represent any user, including administrators, without possessing valid credentials or the OAuth provider's signing keys.
Detection Methods for CVE-2025-9485
Indicators of Compromise
- Unexpected administrator or user account logins from unfamiliar IP addresses
- New subscriber-level accounts created without corresponding registration activity
- OAuth authentication logs showing token processing without corresponding identity provider activity
- Unusual patterns in WordPress authentication logs correlating with OAuth SSO endpoints
Detection Strategies
- Monitor WordPress authentication logs for SSO-related login events that lack corresponding OAuth provider authorization flows
- Implement Web Application Firewall (WAF) rules to detect anomalous JWT tokens in requests to OAuth callback endpoints
- Review user account creation logs for accounts created through OAuth flows that don't match expected identity provider patterns
- Deploy endpoint detection to identify unauthorized access attempts following OAuth authentication events
Monitoring Recommendations
- Enable verbose logging for the OAuth Single Sign On plugin to capture all authentication attempts
- Configure alerting for new administrator account creations or privilege escalations
- Monitor network traffic to OAuth callback endpoints for unusual request patterns
- Implement session monitoring to detect account access from multiple geographic locations
How to Mitigate CVE-2025-9485
Immediate Actions Required
- Update the OAuth Single Sign On – SSO (OAuth Client) plugin to the latest patched version immediately
- Audit all user accounts created through OAuth authentication for unauthorized access
- Review administrator accounts for any signs of compromise or unauthorized modifications
- Consider temporarily disabling OAuth SSO functionality until the patch is applied
Patch Information
A security patch addressing this vulnerability is available. The fix was implemented in changeset 3360768, which adds proper JWT signature verification to the token processing flow. Site administrators should update the plugin through the WordPress admin dashboard or by downloading the latest version from the WordPress plugin repository. Verify the installed version is greater than 6.26.12 after updating.
For detailed vulnerability analysis, refer to the Wordfence Vulnerability Advisory.
Workarounds
- Disable the OAuth Single Sign On plugin entirely until a patched version can be deployed
- Implement network-level access controls to restrict access to OAuth callback endpoints to known identity provider IP ranges
- Enable additional authentication factors for administrator accounts to reduce takeover risk
- Configure WordPress to require email verification for new account creation through OAuth flows
# Configuration example
# Temporarily disable the OAuth SSO plugin via WP-CLI
wp plugin deactivate miniorange-login-with-eve-online-google-facebook
# After patching, verify the plugin version
wp plugin get miniorange-login-with-eve-online-google-facebook --field=version
# Review recent user account creations for suspicious activity
wp user list --orderby=registered --order=DESC --format=table
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
