CVE-2025-9485 is a critical security vulnerability identified in the OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress, affecting all versions up to and including 6.26.12. The root cause is an improper verification of cryptographic signatures (CWE-347) during JWT token processing in the function get_resource_owner_from_id_token. Specifically, the plugin fails to validate or verify the JWT token's signature, allowing attackers to craft malicious tokens that the system accepts as legitimate. This flaw enables unauthenticated attackers to bypass normal authentication mechanisms, granting unauthorized access to any existing user account, including those with administrative privileges under certain configurations. Additionally, attackers can create arbitrary subscriber-level accounts, potentially facilitating further attacks or persistence. The vulnerability has a CVSS v3.1 base score of 9.8, indicating critical severity with network attack vector, no required privileges or user interaction, and full impact on confidentiality, integrity, and availability. Although no exploits have been observed in the wild yet, the vulnerability's nature and ease of exploitation make it a high-risk threat. The plugin's widespread use in WordPress environments, especially for OAuth-based single sign-on, increases the potential attack surface. The lack of available patches at the time of disclosure necessitates immediate defensive actions by administrators.

The impact of CVE-2025-9485 is severe for organizations worldwide using the affected OAuth Single Sign On – SSO plugin. Successful exploitation allows attackers to bypass authentication entirely, gaining unauthorized access to user accounts, including high-privilege administrator accounts in some setups. This can lead to full system compromise, data breaches, unauthorized data modification, and service disruption. Attackers can also create subscriber accounts, enabling persistent footholds or further lateral movement within the environment. For organizations relying on WordPress for critical business functions, such as e-commerce, content management, or internal portals, this vulnerability threatens confidentiality, integrity, and availability of sensitive data and services. The ease of exploitation without any authentication or user interaction increases the risk of automated attacks and large-scale compromise. Additionally, compromised administrator accounts can be used to deploy malware, ransomware, or conduct further attacks on connected systems, amplifying the damage.

1. Immediately disable the OAuth Single Sign On – SSO (OAuth Client) plugin if patching is not yet available to prevent exploitation. 2. Monitor authentication and access logs for unusual login patterns or creation of new subscriber accounts that could indicate exploitation attempts. 3. Implement additional multi-factor authentication (MFA) at the WordPress login level to reduce risk from compromised accounts. 4. Once a patch or updated plugin version is released, apply it promptly to ensure proper JWT signature verification is enforced. 5. Conduct a thorough audit of existing user accounts, especially administrators, to detect unauthorized access or account creation. 6. Restrict plugin usage to trusted environments and consider alternative SSO solutions with verified security track records. 7. Employ Web Application Firewalls (WAFs) with rules to detect and block malformed JWT tokens or suspicious authentication requests targeting this vulnerability. 8. Educate administrators and developers about secure JWT handling and the risks of improper cryptographic verification to prevent similar issues in custom code.