CVE-2025-10305: 
WordPress vulnerability analysis and mitigation

The Secure Passkeys plugin for WordPress contains a missing authorization vulnerability (CVE-2025-10305) discovered in September 2025. This security flaw affects all versions up to and including 1.2.1, where the deletepasskey() and passkeyslist() functions lack proper capability checks. The vulnerability allows authenticated users with Subscriber-level access or higher to view and delete passkeys without proper authorization (NVD CVE).

The vulnerability is classified with a CVSS v3.1 Base Score of 5.3 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. The issue stems from a missing capability check in two core functions: deletepasskey() and passkeyslist(). This authorization bypass vulnerability is categorized as CWE-862 (Missing Authorization) (NVD CVE, Wordfence).

The vulnerability allows authenticated attackers with Subscriber-level privileges or higher to view and delete passkeys without proper authorization. This could lead to unauthorized access to passkey information and potential deletion of legitimate users' passkeys (NVD CVE).

The vulnerability has been patched in version 1.2.2 of the Secure Passkeys plugin. The update includes enhanced permission checks for administrative functions to prevent potential unauthorized access. Users are advised to update to version 1.2.2 or later (WordPress Plugin).