Cyber Resilience

CVE-2025-9485

Critical

Published: 04 October 2025

Published
04 October 2025
Modified
15 April 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0045 64.2th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-9485 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 35.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-13 (Identity Providers and Authorization Servers) and SC-13 (Cryptographic Protection).

Deeper analysis

CVE-2025-9485 is an Improper Verification of Cryptographic Signature vulnerability (CWE-347) affecting the OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress, specifically versions up to and including 6.26.12. The issue stems from unsafe JWT token processing without verification or validation in the `get_resource_owner_from_id_token` function within the plugin's code, as seen in the source at class-mooauth-widget.php line 577. Published on 2025-10-04, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows bypassing authentication to gain access to any existing user account, including administrator accounts in certain configurations, or to create arbitrary subscriber-level accounts, potentially leading to full site compromise.

Wordfence's threat intelligence advisory details the vulnerability and its impact. A patch addressing the issue is available in WordPress plugin changeset 3360768 for the miniorange-login-with-eve-online-google-facebook plugin.

EU & UK References

Vulnerability details

The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This is due to the plugin performing unsafe JWT token processing without verification…

more

or validation in the `get_resource_owner_from_id_token` function. This makes it possible for unauthenticated attackers to bypass authentication and gain access to any existing user account - including administrators in certain configurations - or to create arbitrary subscriber-level accounts.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078.003 Local Accounts Stealth
Adversaries may obtain and abuse credentials of a local account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
T1136.001 Local Account Persistence
Adversaries may create a local account to maintain access to victim systems.
Why these techniques?

Vulnerability in public-facing WordPress OAuth plugin enables unauthenticated exploitation (T1190) for authentication bypass to access/use existing local user accounts including admins (T1078.003) or create arbitrary subscriber accounts (T1136.001).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-24043Shared CWE-347
CVE-2026-32974Shared CWE-347
CVE-2025-27670Shared CWE-347
CVE-2026-5050Shared CWE-347
CVE-2026-0750Shared CWE-347
CVE-2026-38651Shared CWE-347
CVE-2026-42193Shared CWE-347
CVE-2026-20997Shared CWE-347
CVE-2026-34840Shared CWE-347
CVE-2025-27773Shared CWE-347

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation of information from authorization servers like JWT id_tokens to ensure it is authentic before using for access control, directly mitigating the plugin's failure to verify cryptographic signatures.

prevent

Mandates cryptographic mechanisms for authentication and integrity protection, including digital signature verification essential for secure JWT token processing.

prevent

Requires integrity verification of information such as JWT tokens using cryptographic techniques like digital signatures, preventing exploitation of unverified token processing.

References