CVE-2025-9485: 
WordPress vulnerability analysis and mitigation

The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress contains a critical vulnerability (CVE-2025-9485) related to Improper Verification of Cryptographic Signature in versions up to and including 6.26.12. The vulnerability was discovered and reported on October 3, 2025, and affects the plugin's JWT token processing functionality (NVD).

The vulnerability stems from unsafe JWT token processing without verification or validation in the get_resource_owner_from_id_token function. The issue has been assigned a CVSS v3.1 base score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-347 (Improper Verification of Cryptographic Signature) (NVD, Wordfence).

The vulnerability allows unauthenticated attackers to bypass authentication and gain access to any existing user account, including administrator accounts in certain configurations. Additionally, attackers can create arbitrary subscriber-level accounts, potentially compromising the entire WordPress installation (NVD).

Users are advised to immediately update their OAuth Single Sign On – SSO (OAuth Client) plugin to a version newer than 6.26.12. The vulnerability has been addressed in subsequent releases, as evidenced by the WordPress plugin repository changes (WordPress).