OwnID Passwordless Login WordPress Plugin Authentication Bypass Vulnerability

Vulnerability

A vulnerability allowing authentication bypass has been identified in the OwnID Passwordless Login plugin for WordPress, affecting all versions through 1.3.4. The issue arises because the plugin fails to properly verify whether the ownid_shared_secret value is empty before authenticating users via JSON Web Tokens (JWT). This flaw enables unauthenticated attackers to log in as other users, including administrators, on WordPress instances where the plugin has not been fully configured.

Impact

Exploitation of this vulnerability allows unauthenticated attackers to bypass authentication and log in as other users, potentially including administrators.

Added: Oct 15, 2025, 9:46 AM

Updated: Oct 15, 2025, 9:46 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.4

remediation

0.0

relevance

0.7

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.4

remediation

0.0

relevance

0.7

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OwnID Passwordless Login WordPress Plugin Authentication Bypass Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating