Description
The Secure Passkeys plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_passkey() and passkeys_list() function in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and delete passkeys.
Published: 2025-09-20
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized passkey exposure and deletion
Action: Patch
AI Analysis

Impact

The Secure Passkeys plugin for WordPress contains a missing capability check in the delete_passkey() and passkeys_list() functions, allowing authenticated users with Subscriber or higher privileges to view and delete passkeys. This results in unauthorized access to and removal of stored cryptographic passkeys. The weakness is a missing authorization check, classified as CWE-862. The CVSS score of 5.3 indicates a moderate severity.

Affected Systems

The vulnerability affects installations of the WordPress plugin Secure Passkeys from endisha with versions up to and including 1.2.1. Any site running one of those releases is vulnerable; versions beyond 1.2.1 are not reported to be affected.

Risk and Exploitability

The EPSS score is less than 1 %, indicating a very low likelihood of exploitation observed in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers must first be authenticated with Subscriber-level or higher privileges, limiting the number of accounts that can trigger the vulnerability. Given the moderate CVSS score and low exploitation probability, the overall risk is moderate but should still be considered for sites that employ passkey authentication.

Generated by OpenCVE AI on April 22, 2026 at 00:48 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Secure Passkeys to a version newer than 1.2.1 so that the missing capability checks are applied.
  • If no updated release is available, deactivate or uninstall the Secure Passkeys plugin to prevent exposure of the vulnerable functions.
  • Restrict the Subscriber role and any other roles that do not require passkey management from accessing passkey functions, thereby reducing the number of accounts that could trigger the vulnerability.
  • After applying a patch or disabling the plugin, review the WordPress database for any remaining passkey records that may have been stored prior to the fix and delete them as needed.

Generated by OpenCVE AI on April 22, 2026 at 00:48 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-30311 The Secure Passkeys plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_passkey() and passkeys_list() function in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and delete passkeys.
History

Mon, 22 Sep 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 22 Sep 2025 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Sat, 20 Sep 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Secure Passkeys plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the delete_passkey() and passkeys_list() function in all versions up to, and including, 1.2.1. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view and delete passkeys.
Title Secure Passkeys <= 1.2.1 - Missing Authorization to Authenticated (Subscriber+) Passkey Exposure and Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:20:31.927Z

Reserved: 2025-09-11T22:04:22.079Z

Link: CVE-2025-10305

cve-icon Vulnrichment

Updated: 2025-09-22T15:08:29.403Z

cve-icon NVD

Status : Deferred

Published: 2025-09-20T05:15:35.497

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-10305

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T01:00:04Z

Weaknesses