cbcvebase.
CVE-2025-10294
published 2025-10-15

CVE-2025-10294: The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is due to the plugin…

PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.78%
51.1th percentile
The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is due to the plugin not properly checking if the ownid_shared_secret value is empty prior to authenticating a user via JWT. This makes it possible for unauthenticated attackers to log in as other users, including administrators, on instances where the plugin has not been fully configured yet.

Affected

1 ranges
VendorProductVersion rangeFixed in
victornavarroownid_passwordless_login<= 1.3.4

Detection & IOCsextracted from sources · hover to see the quote

filenamerasmanesc.exe
  • Fake PoC exploit for CVE-2025-10294 delivered as a password-protected ZIP file containing: an empty file with the password as its name, a corrupted decoy DLL file, a batch file used in the execution chain, and the main dropper rasmanesc.exe.
  • The dropper elevates privileges, disables Windows Defender, and downloads/executes WebRAT from a hardcoded URL — monitor for Defender tamper events combined with rasmanesc.exe process creation.
  • WebRAT establishes persistence via Windows Registry modifications, Task Scheduler, and by injecting itself into random system directories — hunt for unexpected scheduled tasks and registry run-key entries created alongside rasmanesc.exe execution.
  • CVE-2025-10294 exploitation target: WordPress sites running OwnID Passwordless Login plugin ≤1.3.4 where ownid_shared_secret is empty — monitor for unauthenticated JWT-based login attempts against the OwnID plugin endpoint.
  • Malicious repositories distributing WebRAT under the guise of CVE-2025-10294 PoC exploits were hosted on GitHub; all 15 identified repositories have been removed, but new lures may appear under different publisher names.
  • ·CVE-2025-10294 only affects WordPress instances where the OwnID Passwordless Login plugin has NOT been fully configured (i.e., ownid_shared_secret is empty); fully configured instances are not vulnerable.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.