OAuth SSO WordPress Plugin CVE-2025-9485: Brief Summary of Critical JWT Signature Verification Bypass

This post provides a brief summary of CVE-2025-9485, a critical JWT signature verification bypass in the OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress up to version 6.26.12. It covers technical details, affected versions, and vendor security history based on available public sources.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-03

OAuth SSO WordPress Plugin CVE-2025-9485: Brief Summary of Critical JWT Signature Verification Bypass
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Attackers can gain administrator access to WordPress sites running a popular OAuth plugin by forging authentication tokens. This flaw affects thousands of sites that rely on the OAuth Single Sign On – SSO (OAuth Client) plugin for secure login integration with enterprise identity providers.

The OAuth Single Sign On – SSO (OAuth Client) plugin is developed by miniOrange, a major vendor in the WordPress authentication ecosystem. It supports OAuth 1.0, 2.0, 2.1, and OpenID Connect, and is used by organizations to connect WordPress with providers like Azure AD, Google Workspace, and Office 365. The plugin is widely adopted in enterprise and SMB environments.

Technical Information

CVE-2025-9485 is caused by improper verification of JWT signatures in the get_resource_owner_from_id_token function. In all versions up to and including 6.26.12, the plugin processes JWT tokens received from OAuth or OpenID Connect providers without validating their cryptographic signatures. This means any party can submit a JWT with a forged payload and an invalid or empty signature, and the plugin will accept it as authentic.

The vulnerable code is located in class-mooauth-widget.php at line 577 in version 6.26.12:

// Reference: https://plugins.trac.wordpress.org/browser/miniorange-login-with-eve-online-google-facebook/tags/6.26.12/class-mooauth-widget.php#L577 // The function get_resource_owner_from_id_token processes the JWT without signature verification

Because signature verification is omitted, an attacker can craft a JWT with the sub claim set to any user ID (including administrator accounts) and submit it to the plugin. The plugin will then log the attacker in as that user. In some configurations, attackers can also create arbitrary subscriber-level accounts by manipulating the token payload.

This vulnerability is classified as CWE-347 (Improper Verification of Cryptographic Signature).

Affected Systems and Versions

  • Product: OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress (by miniOrange)
  • Affected versions: Up to and including 6.26.12
  • All configurations using the plugin's OAuth or OpenID Connect login flows are vulnerable

Vendor Security History

miniOrange has previously released plugins with advanced authentication features for WordPress. In recent disclosures, the same plugin was found vulnerable to Cross-Site Request Forgery (CSRF) in versions up to 6.26.12. The vendor responded rapidly to this JWT flaw, releasing a patched version (6.26.13) soon after disclosure. The presence of both CSRF and JWT signature verification bypass issues in a core authentication plugin highlights the need for stronger security review and testing in their development process.

References

Detect & fix
what others miss