{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10294", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-11T19:57:38.707Z", "datePublished": "2025-10-15T08:26:01.063Z", "dateUpdated": "2026-04-08T17:17:52.279Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:52.279Z"}, "affected": [{"vendor": "victornavarro", "product": "OwnID Passwordless Login", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is due to the plugin not properly checking if the ownid_shared_secret value is empty prior to authenticating a user via JWT. This makes it possible for unauthenticated attackers to log in as other users, including administrators, on instances where the plugin has not been fully configured yet."}], "title": "OwnID Passwordless Login <= 1.3.4 - Authentication Bypass", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b8dd6008-e9b8-4a87-b1c7-0dc272850cbd?source=cve"}, {"url": "https://wordpress.org/plugins/ownid-passwordless-login/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel", "cweId": "CWE-288", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-10-14T19:34:27.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-10-15T13:23:41.054643Z", "id": "CVE-2025-10294", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T14:54:13.790Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10294", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-10-15T13:23:41.054643Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-10-15T13:23:41.790Z"}}], "cna": {"title": "OwnID Passwordless Login <= 1.3.4 - Authentication Bypass", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 9.8, "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "victornavarro", "product": "OwnID Passwordless Login", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.3.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-14T19:34:27.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b8dd6008-e9b8-4a87-b1c7-0dc272850cbd?source=cve"}, {"url": "https://wordpress.org/plugins/ownid-passwordless-login/"}], "descriptions": [{"lang": "en", "value": "The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is due to the plugin not properly checking if the ownid_shared_secret value is empty prior to authenticating a user via JWT. This makes it possible for unauthenticated attackers to log in as other users, including administrators, on instances where the plugin has not been fully configured yet."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:17:52.279Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10294", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:17:52.279Z", "dateReserved": "2025-09-11T19:57:38.707Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-10-15T08:26:01.063Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is due to the plugin not properly checking if the ownid_shared_secret value is empty prior to authenticating a user via JWT. This makes it possible for unauthenticated attackers to log in as other users, including administrators, on instances where the plugin has not been fully configured yet."}], "id": "CVE-2025-10294", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-10-15T09:15:39.043", "references": [{"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/ownid-passwordless-login/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b8dd6008-e9b8-4a87-b1c7-0dc272850cbd?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T02:19:57.250420+00:00", "value": {"mitigation_remediation": ["Update the OwnID Passwordless Login plugin to the latest version (1.3.5 or newer) which includes proper secret validation", "After updating, confirm that the ownid_shared_secret is set to a non\u2011empty, securely stored value in the plugin configuration", "If the plugin is not required, remove or disable it entirely from the WordPress installation"], "summary": {"action": "Apply Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "Affecting the OwnID Passwordless Login WordPress plugin, all releases up to and including version 1.3.4 are vulnerable. Users running these versions without full configuration that sets a non\u2011empty ownid_shared_secret are at risk.", "description_and_impact": "The OwnID Passwordless Login plugin for WordPress is vulnerable because it does not verify that the ownid_shared_secret value is set before validating a JWT. This oversight allows an unauthenticated attacker to supply a forged token and gain access as any user, including administrators. The consequence is full control over the site without requiring credentials, compromising confidentiality, integrity, and availability of the WordPress installation.", "risk_and_exploitability": "The flaw scores a CVSS of 9.8, indicating a critical severity. The EPSS score is less than 1%, suggesting the probability of exploitation is currently low but not zero. The vulnerability is not listed in CISA KEV. The most likely attack vector is a remote attacker exploiting the plugin\u2019s authentication endpoint by sending a crafted JWT, bypassing the missing secret check to impersonate any user. Once authenticated, the attacker can perform any administrative actions permitted by the compromised role."}}}}, "created": "2025-10-20T13:26:58.797948+00:00", "updated": "2026-04-21T02:30:25.825380+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}