插件名稱	OwnID Passwordless Login
Type of Vulnerability	Authentication bypass
CVE Number	CVE-2025-10294
Urgency	Critical
CVE Publish Date	2025-10-15
Source URL	CVE-2025-10294

Urgent Security Alert: OwnID Passwordless Login (≤ 1.3.4) Authentication Bypass (CVE-2025-10294)

Managed-WP Security Advisory and Mitigation Guide

Published: October 15, 2025
Severity: Critical (CVSS 9.8) — Unauthenticated authentication bypass
Affected Versions: OwnID Passwordless Login plugin versions ≤ 1.3.4
Patch Status: No official vendor patch available at this time

At Managed-WP, we are issuing an urgent security advisory regarding a critical authentication bypass vulnerability discovered in the OwnID Passwordless Login WordPress plugin. This flaw enables unauthenticated attackers to bypass the login process — potentially gaining full control of affected sites, including administrative privileges. Due to the plugin’s direct integration with WordPress authentication flows, exploitation can lead to persistent site compromise, malicious code injection, unauthorized content modification, backdoor installation, and sensitive data theft.

This advisory delivers a clear, technical yet actionable overview detailing the nature of the vulnerability, attacker exploitation methods, detection techniques, immediate containment procedures, virtual patch recommendations, and long-term recovery strategies. Our guidance is tailored from the perspective of seasoned US-based WordPress security experts, providing practical next steps you can implement now.

---

Executive Summary

• CVE-2025-10294: Authentication bypass in OwnID Passwordless Login plugin ≤ 1.3.4.
• Exploitable by unauthenticated attackers — no valid login credentials required.
• Attackers can impersonate users, including administrators, leading to site takeover and malware installation.
• No official fix currently released — immediate mitigation is critical.
• Recommended actions include disabling the plugin, blocking its endpoints with WAF rules, rotating authentication keys, auditing users, and restoring from clean backups if compromise is detected.

---

Technical Overview of the Vulnerability

Passwordless login mechanisms utilize alternative authentication flows such as magic links, WebAuthn, and REST callbacks, which require rigorous server-side validation of cryptographic proofs and authentication challenges. A secure implementation must never establish authenticated sessions without full verification of these proofs.

The OwnID plugin versions up to 1.3.4 contain a critical logic flaw in their authentication verification. Specifically, certain endpoints or callback handlers do not sufficiently validate the authentication proof before initiating a WordPress session. This allows attackers to craft malicious requests that impersonate legitimate users, bypassing password checks entirely.

Core attributes of the vulnerability:

• Attackers require no prior authentication or valid credentials.
• Attack vector involves HTTP requests targeting plugin-specific REST or AJAX endpoints.
• Impact includes full user impersonation, with possible administrative access and persistent site control.

This bypass circumvents WordPress’s native credential validation, rendering many common security controls ineffective and enabling automated mass exploitation.

---

Attack Methodology

Attackers typically follow these steps:

1. Scan for sites running vulnerable OwnID versions by detecting known REST endpoints, plugin assets, or HTTP headers.
2. Probe these endpoints for the authentication bypass vulnerability.
3. Submit specially crafted requests that trigger the flawed verification logic, obtaining authenticated sessions without legitimate credentials.
4. Use acquired access to create admin accounts, inject backdoors, modify content, and exfiltrate sensitive data.

Due to automation, mass exploitation campaigns may cause widespread breaches within hours of exploit code release.

---

Immediate Threat Assessment

If your WordPress site runs OwnID Passwordless Login plugin version 1.3.4 or earlier, assume a critical exposure exists:

• Your site is at immediate risk of automated attacks.
• Admin accounts are prime targets for takeover.
• Failure to apply swift mitigation increases the likelihood of persistent malware implantation.

Do not delay protective actions pending a vendor patch.

---

Indicators Your Site May Be Compromised

Conduct immediate inspections for the following signals of compromise (IoC):

• Unexpected new administrator accounts in the wp_users 和 wp_usermeta tables. Sample SQL query:

SELECT ID, user_login, user_email, user_registered
FROM wp_users
WHERE ID IN (
  SELECT user_id
  FROM wp_usermeta
  WHERE meta_key = 'wp_capabilities' AND meta_value LIKE '%administrator%'
)
ORDER BY user_registered DESC;

• Suspicious login activity observed in webserver logs, including repeated POST requests to OwnID-related REST endpoints or unusual query strings (e.g., URLs containing “ownid”, “passwordless”, “magic-link”).
• Detection of authentication cookies or sessions created after plugin endpoint requests without legitimate login.
• Unexplained changes to wp_options, wp_posts, or plugin files (verify file modification dates).
• Presence of suspect PHP files in upload directories (wp-content/uploads).
• Outbound network connections initiated by PHP processes to unknown external servers.
• Unrecognized scheduled cron jobs in WordPress configuration.

If any indicators are identified, treat your site as compromised and act according to containment protocols below.

---

What to Do Now: Immediate Containment Steps

1. Deactivate the vulnerable plugin instantly.
   – If you have WordPress admin access: deactivate OwnID Passwordless Login from the plugin dashboard.
   – If admin access is unavailable: rename or remove the wp-content/plugins/ownid directory via SSH/SFTP to prevent execution.
2. Block plugin-specific endpoints at your webserver or firewall.
   If disabling the plugin is not possible immediately, restrict access to its REST and AJAX interfaces using firewall or webserver configuration.
3. Rotate WordPress authentication keys and salts.
   Generate new values for AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY， 和 NONCE_KEY in wp-config.php to invalidate existing sessions.
4. Force password resets and credential rotations.
   Reset administrator passwords, rotate API keys, and revoke any OAuth tokens stored in plugins.
5. Audit and clean user accounts.
   Remove any suspicious or unauthorized administrator accounts.
6. Perform malware and backdoor scans.
   Use file integrity scanners to detect modifications to core files, plugins, themes, and uploads directory.
7. Create forensic snapshots.
   Capture file system and database states prior to remediation for investigative purposes.
8. If compromise is confirmed, restore from a known clean backup.
   Follow restoration with continued containment steps.
9. Notify your hosting provider and enhance logging.
   Enable detailed access and error logging and request assistance if hosted on a managed platform.

---

Recommended Web Application Firewall (WAF) and Virtual Patch Rules

Until an official plugin fix becomes available, deploy virtual patching at the firewall level. The following sample rules block unauthenticated access to plugin REST and AJAX endpoints:

Nginx example:

# Block OwnID REST API endpoints
location ~* ^/wp-json/(ownid|ownid-.*) {
    return 403;
}

Apache/.htaccess example:

<IfModule mod_rewrite.c>
  RewriteEngine On
  RewriteCond %{REQUEST_URI} ^/wp-json/(ownid|ownid-.*) [NC]
  RewriteRule .* - [F]
</IfModule>

ModSecurity (SecRule) snippet:

SecRule REQUEST_URI "@rx ^/wp-json/(ownid|ownid-.*)" 
    "id:1009001,phase:1,deny,status:403,log,msg:'Block OwnID REST endpoints (virtual patch) - authentication bypass mitigation'"

Example rule to block AJAX calls with OwnID actions:

if ($request_method = POST) {
    set $block_ajax 0;
    if ($request_uri ~* "admin-ajax.php") {
        if ($request_body ~* "(action=.*ownid|ownid_auth|ownid_callback)") {
            set $block_ajax 1;
        }
    }
    if ($block_ajax = 1) {
        return 403;
    }
}

Additional WAF hardening recommendations:

• Rate-limit requests targeting plugin-specific and login endpoints.
• Block requests missing valid Nonce headers, if applicable.
• Restrict POST requests to plugin endpoints from unknown external IPs.
• Deny suspicious payloads such as blank tokens, overly large parameters, or patterns matching known exploits.
• Monitor for spikes in traffic to OwnID or passwordless-related routes.

Managed-WP customers can enable our managed ruleset which implements virtual patches to safeguard vulnerable endpoints instantly until vendor patches are issued.

---

Quick Server-Level Mitigations

If deploying a WAF is not an option, implement these server-level controls:

• Restrict access to wp-login.php 和 /wp-admin to trusted IPs.
• Add webserver rules to block URLs containing OwnID and passwordless keywords.
• Temporarily disable REST API access for unauthenticated users through a lightweight plugin or mu-plugin, with caution to avoid breaking legitimate usages.

Example mu-plugin to block OwnID REST requests:

<?php
// mu-plugin/block-ownid-rest.php
add_filter( 'rest_request_dispatch', function($result, $server, $request) {
    $route = $request->get_route();
    if (preg_match('#^/ownid#', $route) || preg_match('#ownid#', $route)) {
        return new WP_Error('rest_forbidden', 'Forbidden', ['status' => 403]);
    }
    return $result;
}, 10, 3);

筆記： Test this carefully before deployment. It is a temporary measure until an official plugin update is available.

---

Post-Containment Validation

Once containment is in place (plugin disabled and firewall rules active), verify your site’s integrity by:

1. Removing any unknown administrator accounts.
2. Confirming updated authentication salts in wp-config.php.
3. Scanning filesystem for recent unexpected changes:
   find . -type f -mtime -n (adjust n to time window)
4. Locating unexpected PHP files in upload folders:
   find wp-content/uploads -type f -name "*.php"
5. Checking for unfamiliar scheduled cron jobs via WP Admin or examining wp_options['cron'].
6. Reviewing the database for suspicious options or rogue content potentially harboring backdoors.
7. Inspecting server logs for persistent or anomalous POST requests.
8. Re-scanning with trusted malware and file integrity tools.

Where malware/backdoors are detected, restore from clean backups rather than relying only on cleanup, then repeat containment and secret rotation.

---

Recovery and Long-Term Site Hardening

• Immediately restore your site from a verified clean backup if compromise is confirmed.
• Disable the vulnerable OwnID plugin and maintain firewall rules as described.
• Rotate all critical credentials and authentication keys in wp-config.php.
• Deploy two-factor authentication (2FA) for all admin-level users.
• Enforce strict user role policies, minimize the number of admin accounts, and apply least privilege principles.
• Enable continuous file change monitoring and regular malware scans.
• Maintain automated offsite backups and verify their integrity regularly.
• Monitor your environment vigilantly for suspicious activity for at least 30 days after cleanup.

---

Developer Best Practices

Plugin and theme developers integrating passwordless authentication should:

• Implement rigorous server-side verification of all authentication proofs; never trust client-side assertions alone.
• Validate all digital signatures, nonces, CSRF tokens, and timestamps firmly.
• Only set authentication cookies after complete cryptographic checks.
• Minimize custom authentication endpoints; leverage WordPress core login flows where possible.
• Incorporate detailed logging and rate limiting on authentication-related endpoints.

---

Quick Indicators of Compromise (IoC) Checklist

• Unexpected admin users created recently.
• Unexplained modification dates on core, plugin, or theme files.
• Presence of PHP files in upload or non-code directories.
• Outbound PHP process network connections to unknown hosts.
• New scheduled cron tasks you did not set.
• Traffic spikes to OwnID or related REST API endpoints.

If you notice any of these signs, escalate immediately to incident response.

---

Managed-WP Protection Offer — Start with Our Free Plan

Secure Your WordPress Site Today with Managed-WP’s Free Plan

For fast deployment of protective measures before official patches become available, Managed-WP offers a Basic (Free) security plan that provides:

• Managed firewall protection with unlimited bandwidth.
• Web Application Firewall (WAF) with virtual patching for known vulnerabilities.
• Malware scanning and mitigation of OWASP Top 10 WordPress risks.
• Immediate deployment of rules to mitigate plugin vulnerabilities without code changes.
• Upgrade options to Standard and Pro plans with automatic malware removal, advanced controls, and managed incident response.

Sign up quickly to secure your site here: https://my.wp-firewall.com/buy/wp-firewall-free-plan/

---

Prioritized Action Checklist

1. Immediately disable or uninstall OwnID Passwordless Login plugin if installed.
2. If plugin cannot be disabled right away, block REST/AJAX endpoints via firewall/webserver rules.
3. Rotate WordPress authentication keys and salts (wp-config.php).
4. Force password resets for administrators and rotate critical API credentials.
5. Conduct thorough audits of users, plugins, themes, and files for tampering evidence.
6. Deploy malware scans and consider restoring from verified clean backups.
7. Implement WAF rules and enable continuous malware monitoring.
8. Strengthen site security with two-factor authentication, limited admin accounts, and reliable backups.

---

Final Notes from Managed-WP Security Experts

Authentication bypass vulnerabilities in plugins that alter core login mechanics pose one of the highest risks to WordPress sites. Attackers exploiting these flaws gain direct entry, bypassing standard defenses. Given the speed at which such exploits spread, quick action is essential — deactivating vulnerable components and deploying virtual patches are critical interim measures pending official vendors’ fixes.

For operators managing multiple WordPress sites, focus remediation efforts first on high-value and high-traffic properties such as eCommerce platforms. When uncertain, always assume compromise and act decisively using the containment, cleanup, and recovery steps outlined here.

If you need assistance with scanning, rule deployment, or incident response, Managed-WP’s expert security team stands ready to support you.