CRITICAL🇵🇱 Wersja polska

CVE-2025-9485

CVSS 9.8v3.1pub. 2025-10-04upd. 2026-04-15

The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This is due to the plugin performing unsafe JWT token processing without verification or validation in the `get_resource_owner_from_id_token` function. This makes it possible for unauthenticated attackers to bypass authentication and gain access to any existing user account - including administrators in certain configurations - or to create arbitrary subscriber-level accounts.

🤖 AI Analysis
How it works

The vulnerability results from improper handling of JWT tokens in the `get_resource_owner_from_id_token` function. The plugin processes JWT tokens without verification or validation of the cryptographic signature (CWE-347 – Improper Verification of Cryptographic Signature). This means that an attacker can craft any JWT token pointing to an existing user or requesting creation of a new account, and the plugin will accept it without checking the signature's authenticity.

Impact

An unauthenticated remote attacker can take control of any user account – including an administrator account in certain configurations – or create new accounts with subscriber privileges, which may lead to complete takeover of the WordPress site.

Mitigation & patch

The plugin should be updated to a version higher than 6.26.12, in which the fix is available according to change 3360768 in the plugin repository. The update should be performed immediately due to the critical severity level of the vulnerability and the lack of authentication requirement on the attacker's side.

Who is affected

WordPress plugin 'OAuth Single Sign On – SSO (OAuth Client)' (miniorange-login-with-eve-online-google-facebook) in versions up to and including 6.26.12

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References