CVE-2025-10294

CRITICAL

OwnID Passwordless Login <1.3.4 - Auth Bypass

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-10294. PoCs published by jFriedli.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2025-10294, demonstrating an authentication bypass via JWT forgery using an empty HMAC key. The PoC includes steps to forge a JWT, send it to a login endpoint, and verify the bypass.

Description

The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is due to the plugin not properly checking if the ownid_shared_secret value is empty prior to authenticating a user via JWT. This makes it possible for unauthenticated attackers to log in as other users, including administrators, on instances where the plugin has not been fully configured yet.

Exploits (1)

nomisec WORKING POC
by jFriedli · poc
https://github.com/jFriedli/CVE-2025-10294

This repository contains a functional exploit for CVE-2025-10294, demonstrating an authentication bypass via JWT forgery using an empty HMAC key. The PoC includes steps to forge a JWT, send it to a login endpoint, and verify the bypass.

Classification
Working Poc 95%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: ownID (WordPress plugin)
No auth needed
Prerequisites: Access to the target WordPress instance with ownID plugin · Admin user ID for JWT forgery
devstral-2 · analyzed Apr 28, 2026 Full analysis →

References (2)

Core 2

Scores

CVSS v3 9.8
EPSS 0.0078
EPSS Percentile 51.0%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation none
Automatable yes
Technical Impact total

Details

CWE
CWE-288
Status published
Products (1)
victornavarro/OwnID Passwordless Login < 1.3.4
Published Oct 15, 2025
Tracked Since Feb 18, 2026