Vulnerability Description
The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is due to the plugin not properly checking if the ownid_shared_secret value is empty prior to authenticating a user via JWT. This makes it possible for unauthenticated attackers to log in as other users, including administrators, on instances where the plugin has not been fully configured yet.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://wordpress.org/plugins/ownid-passwordless-login/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/b8dd6008-e9b8-4a87-b1c
FAQ
What is CVE-2025-10294?
CVE-2025-10294 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is due to the plugin not properly checking if the ownid_share...
How severe is CVE-2025-10294?
CVE-2025-10294 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-10294?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.