CVE-2025-10294
published 2025-10-15CVE-2025-10294: The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is due to the plugin…
PriorityP270critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.78%
51.1th percentile
The OwnID Passwordless Login plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.3.4. This is due to the plugin not properly checking if the ownid_shared_secret value is empty prior to authenticating a user via JWT. This makes it possible for unauthenticated attackers to log in as other users, including administrators, on instances where the plugin has not been fully configured yet.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| victornavarro | ownid_passwordless_login | <= 1.3.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Fake PoC exploit for CVE-2025-10294 delivered as a password-protected ZIP file containing: an empty file with the password as its name, a corrupted decoy DLL file, a batch file used in the execution chain, and the main dropper rasmanesc.exe. ↗
- →The dropper elevates privileges, disables Windows Defender, and downloads/executes WebRAT from a hardcoded URL — monitor for Defender tamper events combined with rasmanesc.exe process creation. ↗
- →WebRAT establishes persistence via Windows Registry modifications, Task Scheduler, and by injecting itself into random system directories — hunt for unexpected scheduled tasks and registry run-key entries created alongside rasmanesc.exe execution. ↗
- →CVE-2025-10294 exploitation target: WordPress sites running OwnID Passwordless Login plugin ≤1.3.4 where ownid_shared_secret is empty — monitor for unauthenticated JWT-based login attempts against the OwnID plugin endpoint. ↗
- →Malicious repositories distributing WebRAT under the guise of CVE-2025-10294 PoC exploits were hosted on GitHub; all 15 identified repositories have been removed, but new lures may appear under different publisher names. ↗
- ·CVE-2025-10294 only affects WordPress instances where the OwnID Passwordless Login plugin has NOT been fully configured (i.e., ownid_shared_secret is empty); fully configured instances are not vulnerable. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Securelist
From cheats to exploits: Webrat spreading via GitHub
blogs_securelist·2025-12-23·CVSS 9.8
[CRITICAL] From cheats to exploits: Webrat spreading via GitHub
Table of Contents
Distribution and the malicious sample
Campaign objectives
Conclusion
Indicators of compromise
Authors
Maxim Starodubov
In early 2025, security researchers uncovered a new malware family named Webrat. Initially, the Trojan targeted regular users by disguising itself as cheats for popular games like Rust, Counter-Strike, and Roblox, or as cracked software. In September, the attackers decided to widen their net: alongside gamers and users of pirated software, they are now targeting inexperienced professionals and students in the information security field.
## Distribution and the malicious sample
In October, we uncovered a campaign that had been distributing Webrat via GitHub repositories since at least September. To lure in victims, the attackers leveraged vulnerab
Securelist
Webrat, disguised as exploits, is spreading via GitHub repositories
blogs_securelist·2025-12-23·CVSS 9.8
[CRITICAL] Webrat, disguised as exploits, is spreading via GitHub repositories
Table of Contents
- Distribution and the malicious sample
- Campaign objectives
- Conclusion
- Indicators of compromise
Authors
- Maxim Starodubov
In early 2025, security researchers uncovered a new malware family named Webrat. Initially, the Trojan targeted regular users by disguising itself as cheats for popular games like Rust, Counter-Strike, and Roblox, or as cracked software. In September, the attackers decided to widen their net: alongside gamers and users of pirated software, they are now targeting inexperienced professionals and students in the information security field.
## Distribution and the malicious sample
In October, we uncovered a campaign that had been distributing Webrat via GitHub repositories since at least September. To lure in victims, the attackers leveraged
Bleepingcomputer
WebRAT malware spread via fake vulnerability exploits on GitHub
blogs_bleepingcomputer·2025-12-23·CVSS 9.8
[CRITICAL] WebRAT malware spread via fake vulnerability exploits on GitHub
## WebRAT malware spread via fake vulnerability exploits on GitHub
## Bill Toulas
The WebRAT malware is now being distributed through GitHub repositories that claim to host proof-of-concept exploits for recently disclosed vulnerabilities.
Previously spread through pirated software and cheats for games like Roblox, Counter Strike, and Rust, WebRAT is a backdoor with info-stealing capabilities that emerged at the beginning of the year.
According to a report from Solar 4RAYS in May, WebRAT can steal credentials for Steam, Discord, and Telegram accounts, as well as cryptocurrency wallet data. It can also spy on victims through webcams and capture screenshots.
Since at least September, the operators started to deliver the malware through carefully crafted repositories claiming to provide a
2025-10-15
Published