A critical authentication bypass vulnerability has been identified in the OwnID Passwordless Login plugin for WordPress. This flaw allows an unauthenticated attacker to bypass security checks and gain unauthorized access to user accounts, including administrative accounts. Successful exploitation could lead to a full compromise of the affected WordPress site.

The vulnerability exists because the plugin fails to properly validate authentication tokens or session data during the login process. An unauthenticated attacker can craft a malicious request to the plugin's authentication endpoint, likely by manipulating the ownid_share parameter or related data, to impersonate any user on the WordPress site. This bypasses the passwordless login mechanism entirely, granting the attacker access to the targeted account without any user interaction or valid credentials.

This vulnerability is rated as critical with a CVSS score of 9.8. A successful exploit grants an attacker complete control over any user account on the website, which could include administrator accounts. The potential business impact is severe and includes theft of sensitive user data, unauthorized content modification or website defacement, installation of malware or backdoors, and significant reputational damage. The ease of exploitation combined with the high impact poses a direct and immediate threat to any organization using the affected plugin.

Immediate Action: Immediately update the OwnID Passwordless Login plugin for WordPress to the latest version available (newer than 1.3.4) which contains the security patch for this vulnerability. After patching, review administrator and user access logs for any signs of suspicious login activity that may have occurred prior to the update.

Proactive Monitoring: System administrators should actively monitor web server access logs and WordPress security logs for unusual or anomalous login attempts. Specifically, look for direct POST requests to plugin-specific endpoints from unknown IP addresses or patterns that deviate from normal login flows. Implementing security information and event management (SIEM) rules to alert on multiple failed login attempts followed by a sudden success from the same source can help detect exploitation.

Compensating Controls: If immediate patching is not feasible, consider temporarily disabling the OwnID Passwordless Login plugin until it can be updated. Alternatively, implement a Web Application Firewall (WAF) with rules specifically designed to block malicious requests targeting the vulnerable plugin endpoints. Restricting access to the WordPress login page to trusted IP addresses can also serve as a temporary mitigating control.

Public Exploit Available: false

Given the critical CVSS score of 9.8, this vulnerability requires immediate attention. Organizations are strongly advised to apply the vendor-supplied patch to all affected WordPress instances without delay. The risk of a full site compromise is extremely high. Prioritize this update above other routine maintenance and audit logs for any potential signs of compromise.