The OwnID Passwordless Login plugin for WordPress, widely used to enable passwordless authentication via JWT tokens, contains a critical vulnerability identified as CVE-2025-10294. This vulnerability stems from improper validation of the ownid_shared_secret parameter during the authentication process. Specifically, the plugin does not check whether this shared secret is empty before accepting JWT tokens for user authentication. As a result, an attacker can bypass authentication controls by exploiting this logic flaw, effectively logging in as any user, including those with administrative privileges. The vulnerability affects all versions up to and including 1.3.4. The attack vector is network-based with no required privileges or user interaction, making it trivially exploitable remotely. The vulnerability is categorized under CWE-288 (Authentication Bypass Using an Alternate Path or Channel), highlighting that the authentication mechanism can be circumvented through an unintended path. The CVSS v3.1 score of 9.8 (critical) reflects the ease of exploitation and the severe consequences, including full compromise of confidentiality, integrity, and availability of affected WordPress instances. While no public exploits are currently reported, the vulnerability's nature and severity suggest that exploitation could lead to unauthorized administrative access, data theft, site defacement, or deployment of malicious code. The issue is particularly dangerous on sites where the plugin is installed but not fully configured, as the empty shared secret condition is more likely to occur. No official patches or updates are currently linked, emphasizing the need for immediate attention from site administrators and security teams.

For European organizations, this vulnerability poses a significant threat to WordPress-based websites that utilize the OwnID Passwordless Login plugin. Unauthorized administrative access can lead to data breaches involving sensitive customer or employee information, disruption of business operations through website defacement or downtime, and potential lateral movement within corporate networks if the compromised site is connected internally. Organizations in sectors such as finance, healthcare, e-commerce, and government are particularly at risk due to the sensitive nature of their data and regulatory requirements like GDPR. The ease of exploitation without authentication or user interaction means attackers can rapidly compromise multiple sites, increasing the risk of widespread impact. Additionally, compromised sites can be used as platforms for phishing, malware distribution, or launching further attacks, amplifying the threat landscape. The lack of a patch at the time of disclosure increases the urgency for organizations to implement interim mitigations to protect their assets.

1. Immediate action should be taken to verify the configuration status of the OwnID Passwordless Login plugin; ensure that the ownid_shared_secret is properly set and not empty. 2. If possible, temporarily disable or uninstall the plugin until a security patch or update is released by the vendor. 3. Monitor WordPress logs and authentication events for unusual login attempts or successful logins without proper credentials. 4. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious JWT authentication requests that lack valid shared secrets. 5. Restrict administrative access to the WordPress backend by IP whitelisting or VPN access to reduce exposure. 6. Conduct a thorough security audit of all WordPress plugins and themes to identify other potential vulnerabilities or misconfigurations. 7. Prepare an incident response plan to quickly address any signs of compromise, including restoring from clean backups and rotating credentials. 8. Stay informed on vendor communications for patches or updates and apply them promptly once available. 9. Educate site administrators about the risks of incomplete plugin configurations and the importance of secure setup procedures.