CVE-2025-9485: 
WordPress vulnerability analysis and mitigation

The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to Improper Verification of Cryptographic Signature in versions up to, and including, 6.26.12. This vulnerability was discovered and disclosed on October 3, 2025. The issue affects the plugin's JWT token processing functionality in the get_resource_owner_from_id_token function (NVD).

The vulnerability stems from unsafe JWT token processing without proper verification or validation in the get_resource_owner_from_id_token function. The issue has been assigned a CVSS v3.1 Base Score of 9.8 CRITICAL (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is classified under CWE-347 (Improper Verification of Cryptographic Signature) (NVD).

The vulnerability allows unauthenticated attackers to bypass authentication and either gain access to any existing user account, including administrator accounts in certain configurations, or create arbitrary subscriber-level accounts. This presents a severe security risk to affected WordPress installations (NVD).

The vulnerability has been patched in version 6.26.13 of the plugin. Users are strongly advised to update to this version or later to protect their installations. The fix can be found in the WordPress plugin repository (WordPress Plugin).