Description
The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This is due to the plugin performing unsafe JWT token processing without verification or validation in the `get_resource_owner_from_id_token` function. This makes it possible for unauthenticated attackers to bypass authentication and gain access to any existing user account - including administrators in certain configurations - or to create arbitrary subscriber-level accounts.
Published: 2025-10-04
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass / Account Takeover
Action: Immediate Patch
AI Analysis

Impact

The OAuth Single Sign On – SSO plugin for WordPress is vulnerable to improper verification of cryptographic signature, allowing unauthenticated attackers to forge JSON Web Tokens. The plugin's get_resource_owner_from_id_token() function processes ID tokens without verifying the signature, which bypasses authentication. Attackers can trigger login with a fabricated token and gain access to any existing user account, including administrators, or create new subscriber-level accounts.

Affected Systems

This issue affects the OAuth Single Sign On – SSO (OAuth Client) plugin from cyberlord92 distributed through WordPress, versions up to and including 6.26.12. Users running these versions of the plugin on any WordPress installation are susceptible.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, though the EPSS score of less than 1% suggests a low probability of exploitation in the wild at present. The vulnerability is not yet listed in the CISA KEV catalog. Based on the description, it is inferred that an attacker can exploit this flaw remotely by crafting a malicious ID token within the OAuth authentication flow, thereby bypassing authentication without needing any credentials. This provides full account takeover for existing users or creation of new accounts.

Generated by OpenCVE AI on April 20, 2026 at 19:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the OAuth Single Sign On – SSO plugin to the latest version that includes proper JWT signature verification (V6.26.13 or later).
  • If an update is unavailable, disable the OAuth SSO feature in the plugin settings to prevent authentication bypass until a patch is released.
  • Monitor the WordPress plugin repository and security advisories for a formal patch or CVE update and apply it promptly.

Generated by OpenCVE AI on April 20, 2026 at 19:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-32420 The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This is due to the plugin performing unsafe JWT token processing without verification or validation in the `get_resource_owner_from_id_token` function. This makes it possible for unauthenticated attackers to bypass authentication and gain access to any existing user account - including administrators in certain configurations - or to create arbitrary subscriber-level accounts.
History

Mon, 06 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 06 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
First Time appeared Oauth Client Single Sign On Project
Oauth Client Single Sign On Project oauth Client Single Sign On
Wordpress
Wordpress wordpress
Vendors & Products Oauth Client Single Sign On Project
Oauth Client Single Sign On Project oauth Client Single Sign On
Wordpress
Wordpress wordpress

Sat, 04 Oct 2025 02:30:00 +0000

Type Values Removed Values Added
Description The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This is due to the plugin performing unsafe JWT token processing without verification or validation in the `get_resource_owner_from_id_token` function. This makes it possible for unauthenticated attackers to bypass authentication and gain access to any existing user account - including administrators in certain configurations - or to create arbitrary subscriber-level accounts.
Title OAuth Single Sign On – SSO (OAuth Client) <= 6.26.12 - Authentication Bypass via get_resource_owner_from_id_token()
Weaknesses CWE-347
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Oauth Client Single Sign On Project Oauth Client Single Sign On
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:25:21.100Z

Reserved: 2025-08-26T08:59:36.029Z

Link: CVE-2025-9485

cve-icon Vulnrichment

Updated: 2025-10-06T14:14:16.651Z

cve-icon NVD

Status : Deferred

Published: 2025-10-04T03:15:38.780

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-9485

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T19:30:06Z

Weaknesses