CVE-2025-9485 is a critical vulnerability affecting the OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress, developed by cyberlord92. The flaw arises from improper verification of cryptographic signatures (CWE-347) in the plugin's JWT token processing, specifically within the function get_resource_owner_from_id_token. The vulnerability exists in all versions up to and including 6.26.12. The plugin fails to properly validate or verify the signature of JSON Web Tokens (JWTs), which are used to authenticate users via OAuth. This improper verification allows unauthenticated attackers to bypass authentication mechanisms entirely. Exploiting this flaw, an attacker can impersonate any existing user account, including those with administrative privileges under certain configurations, or create arbitrary subscriber-level accounts. The vulnerability has a CVSS v3.1 base score of 9.8, indicating critical severity, with attack vector being network-based, no privileges or user interaction required, and impacts on confidentiality, integrity, and availability. Although no known exploits are currently reported in the wild, the ease of exploitation combined with the high impact makes this vulnerability a significant threat. The plugin is widely used in WordPress environments to enable OAuth-based single sign-on, which is common in enterprise and organizational websites. The lack of patch links suggests that a fix may not yet be publicly available, increasing the urgency for mitigation.

For European organizations, this vulnerability poses a severe risk to the security of web applications relying on the affected OAuth Single Sign On plugin. Successful exploitation can lead to unauthorized access to sensitive data, administrative control over websites, and potential lateral movement within organizational networks. This can result in data breaches, defacement, or use of compromised sites as attack platforms. Given the widespread use of WordPress in Europe across public sector, education, and private enterprises, the impact could be extensive. Organizations handling personal data under GDPR face additional legal and compliance risks if unauthorized access leads to data exposure. The ability to create arbitrary subscriber accounts also facilitates persistent footholds for attackers. The critical nature of the vulnerability means that exploitation could disrupt business operations and damage organizational reputation.

Immediate mitigation steps include: 1) Disabling the OAuth Single Sign On – SSO (OAuth Client) plugin until a vendor patch is available. 2) Monitoring web server and application logs for suspicious authentication attempts or creation of new user accounts. 3) Implementing additional multi-factor authentication (MFA) at the application or network level to reduce risk from compromised accounts. 4) Restricting administrative access to trusted IP addresses or VPNs to limit exposure. 5) Reviewing user account lists for unauthorized accounts and removing them promptly. 6) Employing Web Application Firewalls (WAFs) with custom rules to detect and block malformed or unsigned JWT tokens targeting the vulnerable endpoint. 7) Staying alert for vendor updates or patches and applying them immediately once released. 8) Conducting penetration testing focused on authentication flows to verify the absence of similar flaws. These measures go beyond generic advice by focusing on compensating controls and active monitoring tailored to this specific vulnerability.