CVE-2025-9485
Published: 04 October 2025
Summary
CVE-2025-9485 is a critical-severity Improper Verification of Cryptographic Signature (CWE-347) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-13 (Identity Providers and Authorization Servers) and SC-13 (Cryptographic Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of information from authorization servers like JWT id_tokens to ensure it is authentic before using for access control, directly mitigating the plugin's failure to verify cryptographic signatures.
Mandates cryptographic mechanisms for authentication and integrity protection, including digital signature verification essential for secure JWT token processing.
Requires integrity verification of information such as JWT tokens using cryptographic techniques like digital signatures, preventing exploitation of unverified token processing.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing WordPress OAuth plugin enables unauthenticated exploitation (T1190) for authentication bypass to access/use existing local user accounts including admins (T1078.003) or create arbitrary subscriber accounts (T1136.001).
NVD Description
The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This is due to the plugin performing unsafe JWT token processing without verification…
more
or validation in the `get_resource_owner_from_id_token` function. This makes it possible for unauthenticated attackers to bypass authentication and gain access to any existing user account - including administrators in certain configurations - or to create arbitrary subscriber-level accounts.
Deeper analysisAI
CVE-2025-9485 is an Improper Verification of Cryptographic Signature vulnerability (CWE-347) affecting the OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress, specifically versions up to and including 6.26.12. The issue stems from unsafe JWT token processing without verification or validation in the `get_resource_owner_from_id_token` function within the plugin's code, as seen in the source at class-mooauth-widget.php line 577. Published on 2025-10-04, it carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows bypassing authentication to gain access to any existing user account, including administrator accounts in certain configurations, or to create arbitrary subscriber-level accounts, potentially leading to full site compromise.
Wordfence's threat intelligence advisory details the vulnerability and its impact. A patch addressing the issue is available in WordPress plugin changeset 3360768 for the miniorange-login-with-eve-online-google-facebook plugin.
Details
- CWE(s)