{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-10305", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-09-11T22:04:22.079Z", "datePublished": "2025-09-20T04:27:55.807Z", "dateUpdated": "2026-04-08T17:20:31.927Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:31.927Z"}, "affected": [{"vendor": "endisha", "product": "Secure Passkeys", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.2.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Secure Passkeys plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_passkey() and passkeys_list() function in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and delete passkeys."}], "title": "Secure Passkeys <= 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Passkey Exposure and Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c41651ce-ee9b-408f-a25f-113d71beb935?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3363280%40secure-passkeys&new=3363280%40secure-passkeys&sfp_email=&sfph_mail=#file2"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "timeline": [{"time": "2025-09-12T18:23:41.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-19T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-22T15:08:19.302424Z", "id": "CVE-2025-10305", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-22T15:08:40.911Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-10305", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-22T15:08:19.302424Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-22T15:08:29.403Z"}}], "cna": {"title": "Secure Passkeys <= 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Passkey Exposure and Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Jonas Benjamin Friedli"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "endisha", "product": "Secure Passkeys", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.2.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-09-12T18:23:41.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-19T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c41651ce-ee9b-408f-a25f-113d71beb935?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3363280%40secure-passkeys&new=3363280%40secure-passkeys&sfp_email=&sfph_mail=#file2"}], "descriptions": [{"lang": "en", "value": "The Secure Passkeys plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_passkey() and passkeys_list() function in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and delete passkeys."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:20:31.927Z"}}}, "cveMetadata": {"cveId": "CVE-2025-10305", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:20:31.927Z", "dateReserved": "2025-09-11T22:04:22.079Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-20T04:27:55.807Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Secure Passkeys plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_passkey() and passkeys_list() function in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and delete passkeys."}], "id": "CVE-2025-10305", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-20T05:15:35.497", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3363280%40secure-passkeys&new=3363280%40secure-passkeys&sfp_email=&sfph_mail=#file2"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c41651ce-ee9b-408f-a25f-113d71beb935?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T00:48:30.571774+00:00", "value": {"mitigation_remediation": ["Update Secure Passkeys to a version newer than 1.2.1 so that the missing capability checks are applied.", "If no updated release is available, deactivate or uninstall the Secure Passkeys plugin to prevent exposure of the vulnerable functions.", "Restrict the Subscriber role and any other roles that do not require passkey management from accessing passkey functions, thereby reducing the number of accounts that could trigger the vulnerability.", "After applying a patch or disabling the plugin, review the WordPress database for any remaining passkey records that may have been stored prior to the fix and delete them as needed."], "summary": {"action": "Patch", "impact": "Unauthorized passkey exposure and deletion"}, "threat_synthesis": {"affected_systems": "The vulnerability affects installations of the WordPress plugin Secure Passkeys from endisha with versions up to and including 1.2.1. Any site running one of those releases is vulnerable; versions beyond 1.2.1 are not reported to be affected.", "description_and_impact": "The Secure Passkeys plugin for WordPress contains a missing capability check in the delete_passkey() and passkeys_list() functions, allowing authenticated users with Subscriber or higher privileges to view and delete passkeys. This results in unauthorized access to and removal of stored cryptographic passkeys. The weakness is a missing authorization check, classified as CWE-862. The CVSS score of 5.3 indicates a moderate severity.", "risk_and_exploitability": "The EPSS score is less than 1\u202f%, indicating a very low likelihood of exploitation observed in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers must first be authenticated with Subscriber-level or higher privileges, limiting the number of accounts that can trigger the vulnerability. Given the moderate CVSS score and low exploitation probability, the overall risk is moderate but should still be considered for sites that employ passkey authentication."}}}}, "created": "2025-09-22T09:58:53.602504+00:00", "updated": "2026-04-22T01:00:04.355305+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}