CVE-2025-9485

CRITICAL

WordPress OAuth Client <6.26.12 - RCE

Title source: llm

Description

The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This is due to the plugin performing unsafe JWT token processing without verification or validation in the `get_resource_owner_from_id_token` function. This makes it possible for unauthenticated attackers to bypass authentication and gain access to any existing user account - including administrators in certain configurations - or to create arbitrary subscriber-level accounts.

Exploits (1)

nomisec WORKING POC

by jFriedli · poc

https://github.com/jFriedli/CVE-2025-9485

View Code ZIP pw:eip

References (3)

[Product] https://plugins.trac.wordpress.org/browser/miniorange-login-with-eve-online-google-facebook/tags/6.26.12/class-mooauth-widget.php#L577

[Product] https://plugins.trac.wordpress.org/changeset/3360768/miniorange-login-with-eve-online-google-facebook

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/d2448afc-70d1-4dd5-b73b-62d182ee9a8a?source=cve

Scores

CVSS v3 9.8

EPSS 0.0074

EPSS Percentile 73.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-347

Status published

Products (1)

cyberlord92/OAuth Single Sign On – SSO (OAuth Client) < 6.26.12

Published Oct 04, 2025

Tracked Since Feb 18, 2026