How ZeroPath Works
Back to Blog

OwnID Passwordless Login (WordPress) CVE-2025-10294 Authentication Bypass: Brief Summary and Technical Review

This post provides a brief summary and technical review of CVE-2025-10294, a critical authentication bypass in the OwnID Passwordless Login plugin for WordPress (all versions up to and including 1.3.4). It covers technical details, affected versions, and vendor security history based on available public sources.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-15

OwnID Passwordless Login (WordPress) CVE-2025-10294 Authentication Bypass: Brief Summary and Technical Review
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers can gain administrator access to WordPress sites running the OwnID Passwordless Login plugin if it is not fully configured. This critical flaw enables unauthenticated logins on any affected site, putting all user accounts at risk.

About OwnID and the Plugin: OwnID provides passwordless authentication solutions for web platforms, including WordPress and WooCommerce. Their WordPress plugin, while only installed on about 200 sites as of June 2024, is designed to improve security and user experience by eliminating passwords. However, a critical flaw in its authentication logic has exposed those sites to account takeover.

Technical Information

CVE-2025-10294 is an authentication bypass vulnerability in the OwnID Passwordless Login plugin for WordPress, affecting all versions up to and including 1.3.4. The vulnerability is due to improper validation of the ownid_shared_secret configuration parameter during JWT (JSON Web Token) authentication.

Vulnerability Mechanism:

  • The plugin uses JWTs to authenticate users. In a secure implementation, JWTs are signed with a shared secret and verified on the server.
  • In affected versions, the plugin does not check if the ownid_shared_secret is empty before validating JWTs.
  • If the shared secret is unset (which can happen if the plugin is installed but not fully configured), the plugin may accept any JWT, regardless of its signature.
  • This allows an attacker to craft a JWT with arbitrary claims (such as an admin user ID) and present it to the authentication endpoint. The plugin will accept the token and log the attacker in as that user.

Root Cause:

  • The core issue is a missing validation step for the ownid_shared_secret parameter. The plugin should deny authentication if the secret is not set, but instead it proceeds with JWT validation (or skips it), resulting in authentication bypass.
  • This is classified as CWE-288: Authentication Bypass Using an Alternate Path or Channel.

No public code snippets or vulnerable code lines are available in the referenced sources.

Affected Systems and Versions

  • Product: OwnID Passwordless Login plugin for WordPress
  • Affected versions: All versions up to and including 1.3.4
  • Vulnerable configuration: Sites where the plugin is installed but the ownid_shared_secret is empty or unset (typically during or after incomplete configuration)

Vendor Security History

  • The OwnID Passwordless Login plugin has a history of severe bugs, including a critical issue in version 1.3.4 that locked out all users (see WordPress support thread).
  • Similar issues were reported in earlier versions (1.3.1, fixed in 1.3.2, then reintroduced in 1.3.4), suggesting recurring quality assurance and regression testing problems.
  • As of this writing, there is no public evidence of a timely patch or detailed vendor advisory for CVE-2025-10294.

References

Detect & fix
what others miss

Get startedBook a demo