CVE-2025-9485

CRITICAL

WordPress OAuth Client <6.26.12 - RCE

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2025-9485. PoCs published by ItsSunshineXD, jFriedli.

AI-analyzed exploit summary The repository contains only a minimal README with no exploit code, technical details, or functional PoC. It is a placeholder with no substantive content.

Description

The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This is due to the plugin performing unsafe JWT token processing without verification or validation in the `get_resource_owner_from_id_token` function. This makes it possible for unauthenticated attackers to bypass authentication and gain access to any existing user account - including administrators in certain configurations - or to create arbitrary subscriber-level accounts.

Exploits (2)

github STUB

by ItsSunshineXD · poc

https://github.com/ItsSunshineXD/CVE-2025-9485-PoC

View Code ZIP pw:eip

The repository contains only a minimal README with no exploit code, technical details, or functional PoC. It is a placeholder with no substantive content.

Classification

Stub 95%

Attack Type

Other

Complexity

Trivial

Reliability

Theoretical

Target: unknown

No auth needed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application

devstral-2 · analyzed May 30, 2026 Full analysis →

nomisec WORKING POC

by jFriedli · poc

https://github.com/jFriedli/CVE-2025-9485

View Code ZIP pw:eip

This repository provides a functional proof-of-concept for CVE-2025-9485, demonstrating an authentication bypass via unsigned JWT tokens. The exploit forges a JWT with 'alg: none' and injects it into an authentication callback to gain unauthorized access.

Classification

Working Poc 95%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Unknown (likely a web application using JWT authentication)

No auth needed

Prerequisites: Admin email address · Valid state parameter for the target application

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Apr 28, 2026 Full analysis →

References (3)

Core 3

Core References

Product

https://plugins.trac.wordpress.org/browser/miniorange-login-with-eve-online-google-facebook/tags/6.26.12/class-mooauth-widget.php#L577

Product

https://plugins.trac.wordpress.org/changeset/3360768/miniorange-login-with-eve-online-google-facebook

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/d2448afc-70d1-4dd5-b73b-62d182ee9a8a?source=cve

Scores

CVSS v3 9.8

EPSS 0.0057

EPSS Percentile 42.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-347

Status published

Products (1)

cyberlord92/OAuth Single Sign On – SSO (OAuth Client) < 6.26.12

Published Oct 04, 2025

Tracked Since Feb 18, 2026