CVE-2025-10294 is a critical vulnerability classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel) affecting the OwnID Passwordless Login plugin for WordPress. The vulnerability exists because the plugin does not properly check if the ownid_shared_secret parameter is empty before authenticating a user via JSON Web Tokens (JWT). This improper validation allows an unauthenticated attacker to bypass authentication controls and log in as any user, including administrators, on WordPress sites where the plugin is installed but not fully configured. The issue affects all versions up to and including 1.3.4. The attack vector requires no privileges and no user interaction, making exploitation straightforward if the plugin is misconfigured. The CVSS v3.1 score of 9.8 reflects the high impact on confidentiality, integrity, and availability, as attackers can gain full administrative control over the affected WordPress instance. While no public exploits have been reported yet, the vulnerability's nature and ease of exploitation make it a critical threat. The plugin’s reliance on the ownid_shared_secret for JWT authentication means that if this secret is empty or missing, the authentication mechanism is effectively bypassed. This flaw is particularly dangerous during initial plugin setup phases or incomplete configurations, which are common in real-world deployments. The vulnerability highlights the importance of secure default configurations and robust input validation in authentication mechanisms.

The impact on European organizations can be severe. Successful exploitation allows attackers to gain unauthorized administrative access to WordPress sites, potentially leading to full site compromise. This includes the ability to modify content, steal sensitive data, deploy malware, or pivot to other internal systems. Organizations relying on WordPress for corporate websites, intranets, or customer portals may face data breaches, reputational damage, and operational disruption. Given WordPress’s widespread use across Europe, especially in small to medium enterprises and public sector websites, the attack surface is significant. The vulnerability is particularly critical for sites that have not completed plugin configuration, a common scenario during deployment or updates. Attackers could exploit this to bypass multi-factor authentication or other security controls implemented at the WordPress level. Additionally, compromised administrator accounts could be used to launch further attacks such as ransomware or supply chain compromises. The lack of known exploits in the wild currently provides a window for proactive mitigation, but the high CVSS score and ease of exploitation indicate a high likelihood of future attacks targeting vulnerable European entities.

1. Immediately verify that the OwnID Passwordless Login plugin is fully configured, ensuring the ownid_shared_secret is properly set and not empty. 2. If configuration cannot be confirmed or completed, disable or uninstall the plugin until a patched version is released. 3. Monitor WordPress login logs for unusual or unauthorized login attempts, especially those bypassing normal authentication flows. 4. Restrict access to WordPress administrative interfaces using IP whitelisting or VPNs to reduce exposure. 5. Implement additional layers of authentication such as multi-factor authentication (MFA) at the WordPress or web server level. 6. Keep WordPress core, plugins, and themes updated to the latest versions to reduce the risk of chained vulnerabilities. 7. Conduct security audits on WordPress configurations to detect incomplete setups or insecure defaults. 8. Prepare incident response plans specific to WordPress compromises, including backup and recovery strategies. 9. Engage with the plugin vendor or community to track patch releases and apply updates promptly once available. 10. Consider alternative passwordless authentication solutions with proven security records if immediate mitigation is not feasible.