CVE-2025-10305 is a vulnerability identified in the Secure Passkeys plugin for WordPress, developed by endisha. The vulnerability arises from a missing authorization check (CWE-862) in two critical functions: delete_passkey() and passkeys_list(). These functions are responsible for managing passkeys, which are authentication credentials used to enhance login security. Due to the lack of proper capability checks, any authenticated user with Subscriber-level access or higher can exploit this flaw to view and delete passkeys belonging to other users. This unauthorized access does not require elevated privileges beyond Subscriber, which is typically the lowest level of authenticated access in WordPress. The vulnerability affects all versions of the plugin up to and including version 1.2.1. The CVSS v3.1 base score is 5.3, indicating a medium severity level. The vector string (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) suggests that the attack can be performed remotely over the network with low attack complexity, no privileges required beyond authentication, and no user interaction needed. The impact is limited to integrity, as attackers can delete or manipulate passkeys but cannot directly compromise confidentiality or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. This vulnerability could allow attackers to disrupt user authentication mechanisms by deleting passkeys, potentially forcing users to reset credentials or lose access, and could also facilitate further attacks if passkeys are exposed or manipulated.

For European organizations using WordPress sites with the Secure Passkeys plugin, this vulnerability poses a moderate risk. Attackers with minimal authenticated access (Subscriber-level) can manipulate authentication credentials, undermining the integrity of user authentication. This could lead to unauthorized account access if attackers delete or tamper with passkeys, forcing users to re-register or potentially enabling attackers to bypass multi-factor authentication mechanisms. Organizations relying on WordPress for critical services or customer-facing portals could face disruption, loss of user trust, and potential compliance issues under GDPR if user authentication is compromised. The impact is particularly significant for sectors with stringent security requirements, such as finance, healthcare, and government, where authentication integrity is paramount. However, since exploitation requires authenticated access, the threat is somewhat mitigated by existing access controls and monitoring. Still, insider threats or compromised low-privilege accounts could leverage this vulnerability to escalate attacks.

To mitigate this vulnerability, European organizations should immediately audit their WordPress installations for the presence of the Secure Passkeys plugin and verify the version in use. Until an official patch is released, administrators should consider temporarily disabling the plugin or restricting access to Subscriber-level accounts to trusted users only. Implementing strict user role management and monitoring for unusual Subscriber-level activity can help detect exploitation attempts. Additionally, organizations should enforce strong authentication policies, including multi-factor authentication for all users, to reduce the risk of account compromise. Reviewing and hardening WordPress user permissions and employing security plugins that monitor unauthorized changes to authentication credentials can provide additional layers of defense. Once a patch becomes available, prompt application is critical. Regular backups of authentication data and passkeys should be maintained to enable recovery in case of deletion or tampering.