CVE-2025-10305 is a vulnerability identified in the Secure Passkeys plugin developed by endisha for WordPress, present in all versions up to and including 1.2.1. The root cause is a missing authorization check (CWE-862) in two critical functions: delete_passkey() and passkeys_list(). These functions are responsible for managing passkeys, which are used for authentication purposes. Due to the lack of proper capability checks, any authenticated user with Subscriber-level access or higher can invoke these functions to view the list of passkeys and delete them arbitrarily. This bypasses intended access controls that should restrict such sensitive operations to administrators or trusted roles. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network (via the WordPress interface). Although confidentiality of passkeys is not compromised (no direct data leakage reported), the integrity of authentication credentials is at risk because attackers can delete passkeys, potentially disrupting legitimate user access or enabling further attacks through account lockout or social engineering. The vulnerability has a CVSS v3.1 base score of 5.3, categorized as medium severity, reflecting its moderate impact and ease of exploitation. No patches or fixes have been published at the time of disclosure, and there are no known exploits in the wild. The vulnerability was reserved and published in September 2025 by Wordfence, a reputable security vendor. This issue highlights the importance of enforcing strict authorization checks in plugins managing authentication mechanisms.

The primary impact of CVE-2025-10305 is on the integrity of authentication credentials within WordPress sites using the Secure Passkeys plugin. Attackers with Subscriber-level access can delete passkeys, potentially locking out legitimate users or administrators, causing denial of access or forcing password resets. This can disrupt normal operations, especially for sites relying heavily on passkeys for authentication. While confidentiality is not directly affected, the ability to manipulate authentication credentials undermines trust in the authentication system and could facilitate further attacks such as account takeover or privilege escalation if combined with other vulnerabilities. Organizations with multiple users at Subscriber level or higher are at greater risk. Since WordPress powers a significant portion of the web, including many business and e-commerce sites, the vulnerability could lead to operational disruptions, increased support costs, and reputational damage. The lack of a patch increases exposure time, and attackers could weaponize this flaw once exploit code becomes available. The vulnerability does not affect availability directly but can indirectly cause service interruptions due to authentication issues.

Until an official patch is released, organizations should implement the following mitigations: 1) Restrict Subscriber-level user accounts by reviewing and minimizing the number of users with this role, especially on sites using the Secure Passkeys plugin. 2) Temporarily disable or uninstall the Secure Passkeys plugin if it is not critical to operations or if alternative authentication methods are available. 3) Implement additional access control measures such as web application firewalls (WAFs) to monitor and block suspicious requests targeting passkey management endpoints. 4) Monitor WordPress user activity logs for unusual access patterns or unauthorized attempts to delete passkeys. 5) Educate site administrators about the risk and encourage prompt updates once a patch is available. 6) Consider applying custom code or filters to enforce capability checks on the affected functions if feasible. 7) Regularly back up authentication data and site configurations to enable recovery in case of malicious deletions. These steps go beyond generic advice by focusing on role management, plugin control, and proactive monitoring specific to this vulnerability.