Vulnerability Description
The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This is due to the plugin performing unsafe JWT token processing without verification or validation in the `get_resource_owner_from_id_token` function. This makes it possible for unauthenticated attackers to bypass authentication and gain access to any existing user account - including administrators in certain configurations - or to create arbitrary subscriber-level accounts.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/miniorange-login-with-eve-online-goog
- https://plugins.trac.wordpress.org/changeset/3360768/miniorange-login-with-eve-o
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d2448afc-70d1-4dd5-b73
FAQ
What is CVE-2025-9485?
CVE-2025-9485 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This is due to the plugi...
How severe is CVE-2025-9485?
CVE-2025-9485 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-9485?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.