CVE-2025-9485

CRITICAL 9.8

OAuth Single Sign On – SSO (OAuth Client) <= 6.26.12 - Authentication Bypass via get_resource_owner_from_id_token()

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This is due to the plugin performing unsafe JWT token processing without verification or validation in the `get_resource_owner_from_id_token` function. This makes it possible for unauthenticated attackers to bypass authentication and gain access to any existing user account - including administrators in certain configurations - or to create arbitrary subscriber-level accounts.

CWE	CWE-347
Vendor	cyberlord92
Product	oauth single sign on – sso (oauth client)
Published	Oct 4, 2025
Last Updated	Apr 8, 2026

Stay Ahead of the Next One

Get instant alerts for cyberlord92 oauth single sign on – sso (oauth client)

Be the first to know when new critical vulnerabilities affecting cyberlord92 oauth single sign on – sso (oauth client) are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Attack Complexity

Privileges Required

User Interaction

Scope

Confidentiality

Integrity

Availability

Affected Versions

cyberlord92 / OAuth Single Sign On – SSO (OAuth Client)

0 ≤ 6.26.12

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/d2448afc-70d1-4dd5-b73b-62d182ee9a8a?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/miniorange-login-with-eve-online-google-facebook/tags/6.26.12/class-mooauth-widget.php#L577 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3360768/miniorange-login-with-eve-online-google-facebook

Credits

Jonas Benjamin Friedli