Introduction
Attackers can gain administrator access to WordPress sites running a popular OAuth plugin by forging authentication tokens. This flaw affects thousands of sites that rely on the OAuth Single Sign On – SSO (OAuth Client) plugin for secure login integration with enterprise identity providers.
The OAuth Single Sign On – SSO (OAuth Client) plugin is developed by miniOrange, a major vendor in the WordPress authentication ecosystem. It supports OAuth 1.0, 2.0, 2.1, and OpenID Connect, and is used by organizations to connect WordPress with providers like Azure AD, Google Workspace, and Office 365. The plugin is widely adopted in enterprise and SMB environments.
Technical Information
CVE-2025-9485 is caused by improper verification of JWT signatures in the get_resource_owner_from_id_token function. In all versions up to and including 6.26.12, the plugin processes JWT tokens received from OAuth or OpenID Connect providers without validating their cryptographic signatures. This means any party can submit a JWT with a forged payload and an invalid or empty signature, and the plugin will accept it as authentic.
The vulnerable code is located in class-mooauth-widget.php at line 577 in version 6.26.12:
// Reference: https://plugins.trac.wordpress.org/browser/miniorange-login-with-eve-online-google-facebook/tags/6.26.12/class-mooauth-widget.php#L577 // The function get_resource_owner_from_id_token processes the JWT without signature verification
Because signature verification is omitted, an attacker can craft a JWT with the sub claim set to any user ID (including administrator accounts) and submit it to the plugin. The plugin will then log the attacker in as that user. In some configurations, attackers can also create arbitrary subscriber-level accounts by manipulating the token payload.
This vulnerability is classified as CWE-347 (Improper Verification of Cryptographic Signature).
Affected Systems and Versions
- Product: OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress (by miniOrange)
- Affected versions: Up to and including 6.26.12
- All configurations using the plugin's OAuth or OpenID Connect login flows are vulnerable
Vendor Security History
miniOrange has previously released plugins with advanced authentication features for WordPress. In recent disclosures, the same plugin was found vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 6.26.12. The vendor responded rapidly to this JWT flaw, releasing a patched version (6.26.13) soon after disclosure. The presence of both CSRF and JWT signature verification bypass issues in a core authentication plugin highlights the need for stronger security review and testing in their development process.
