The OwnID Passwordless Login plugin for WordPress, up to and including version 1.3.4, contains a critical authentication bypass vulnerability identified as CVE-2025-10294. This vulnerability stems from improper validation of the ownid_shared_secret parameter during JWT-based authentication. Specifically, the plugin does not check whether the ownid_shared_secret is empty before proceeding with user authentication. As a result, an unauthenticated attacker can exploit this flaw to bypass authentication controls and gain access to any user account, including those with administrative privileges. The vulnerability is classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel). The attack vector is network-based with no required privileges or user interaction, making exploitation straightforward. The vulnerability affects all versions of the plugin up to 1.3.4, and no patches or updates are currently linked, indicating that users must take immediate protective actions. Although no active exploits have been reported in the wild, the potential for full site compromise is high given the nature of the flaw and the critical CVSS score of 9.8. This vulnerability threatens the confidentiality, integrity, and availability of WordPress sites using this plugin, potentially allowing attackers to manipulate site content, steal sensitive data, or disrupt services.

The impact of CVE-2025-10294 is severe for organizations worldwide that use the OwnID Passwordless Login plugin on their WordPress sites. Successful exploitation allows attackers to bypass authentication entirely and assume the identity of any user, including administrators. This can lead to complete site takeover, enabling attackers to modify or delete content, steal sensitive information, inject malicious code, or deploy further attacks such as ransomware or phishing campaigns. The compromise of administrative accounts can also facilitate persistent backdoors and lateral movement within connected systems. Given WordPress's widespread use for business, government, and personal websites, the vulnerability poses a significant risk to data confidentiality, system integrity, and service availability. Organizations relying on this plugin without proper mitigation are exposed to potential reputational damage, financial loss, and regulatory penalties due to data breaches or service disruptions.

To mitigate CVE-2025-10294, organizations should immediately disable the OwnID Passwordless Login plugin until a secure patched version is released. If disabling is not feasible, restrict access to the WordPress admin interface and login endpoints using IP whitelisting or web application firewall (WAF) rules to block unauthorized requests. Monitor authentication logs for unusual login attempts or successful logins from unexpected IP addresses. Implement multi-factor authentication (MFA) on WordPress accounts to add an additional layer of security beyond the vulnerable plugin. Regularly update all WordPress plugins and core installations to the latest versions once a patch for this vulnerability becomes available. Additionally, conduct a thorough security audit and incident response readiness to detect and remediate any potential compromise resulting from this vulnerability. Consider isolating critical WordPress instances in segmented network zones to limit the blast radius of any exploitation.