CVE-2025-9485 is a critical security vulnerability identified in the OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress, maintained by cyberlord92. The vulnerability stems from improper verification of cryptographic signatures (CWE-347) in JSON Web Tokens (JWTs) processed by the plugin's get_resource_owner_from_id_token function. Specifically, the plugin fails to validate the JWT signature, allowing attackers to craft malicious tokens that the plugin accepts as valid. This flaw enables unauthenticated attackers to bypass authentication mechanisms entirely, granting them access to any existing user account on the WordPress site. In certain configurations, attackers can escalate privileges to administrator level, while in others, they can create arbitrary subscriber-level accounts. The vulnerability affects all versions up to and including 6.26.12. The CVSS v3.1 base score of 9.8 reflects the critical nature of the flaw, with an attack vector over the network, no required privileges or user interaction, and full impact on confidentiality, integrity, and availability of the affected systems. Although no known exploits have been observed in the wild, the vulnerability's characteristics make it highly exploitable. The lack of signature verification in JWT processing is a fundamental cryptographic error, undermining the trust model of OAuth-based authentication. This vulnerability poses a severe risk to WordPress sites using this plugin for Single Sign-On, potentially leading to unauthorized access, data breaches, and full site compromise.

For European organizations, this vulnerability represents a significant threat to the security of WordPress-based web applications that utilize the OAuth Single Sign On – SSO (OAuth Client) plugin. Unauthorized access to user accounts, especially administrator accounts, can lead to full site compromise, data theft, defacement, or use of the site as a platform for further attacks. The ability to create arbitrary subscriber accounts also facilitates persistent footholds and lateral movement within the application environment. Given the widespread use of WordPress across Europe for corporate websites, e-commerce, and internal portals, exploitation could result in reputational damage, regulatory non-compliance (e.g., GDPR violations due to data breaches), and financial losses. The critical severity and ease of exploitation mean that attackers can operate remotely without authentication or user interaction, increasing the risk of automated mass exploitation campaigns targeting vulnerable sites across Europe. Organizations in sectors with high-value targets, such as finance, healthcare, and government, are particularly at risk due to the potential impact on sensitive data and services.

Immediate mitigation involves updating the OAuth Single Sign On – SSO (OAuth Client) plugin to a patched version once released by the vendor. Until a patch is available, organizations should consider disabling the plugin or the SSO functionality to prevent exploitation. Implementing Web Application Firewall (WAF) rules to detect and block malformed or unsigned JWT tokens can provide interim protection. Conduct thorough audits of user accounts for unauthorized creations or privilege escalations. Enforce multi-factor authentication (MFA) on all administrator accounts to reduce the impact of compromised credentials. Review and restrict OAuth client configurations to minimize exposure. Monitor logs for suspicious authentication attempts or unusual token usage patterns. Additionally, organizations should educate administrators on the risks of using unverified third-party plugins and establish a process for timely vulnerability management and patching. Network segmentation and limiting administrative access to trusted IPs can further reduce the attack surface.