← volver
CVE-2025-10294

OwnID Passwordless Login <= 1.3.4 - Authentication Bypass

CVSS 9.8 CRITICALEPSS 0.8%CWE-288
Vexday Risk Score
28Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 9.8EPSS 0.8%KEV nãoPoC Nuclei Metasploit Patch
Ciclo de vida
15 oct 2025Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is due to the plugin not properly checking if the ownid_shared_secret value is empty prior to authenticating a user via JWT. This makes it possible for unauthenticated attackers to log in as other users, including administrators, on instances where the plugin has not been fully configured yet.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Productos afectados
victornavarro · OwnID Passwordless Login

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://wordpress.org/plugins/ownid-passwordless-login/https://www.wordfence.com/threat-intel/vulnerabilities/id/b8dd6008-e9b8-4a87-b1c7-0dc272850cbd?source=cve