What grant type are you using? If this is authorization code grant, the wordpress instance would have to know the client secret, so you would probably have to know about them anyway. If PKCE or implicit, you could end up in a situation that anyone could have it redirect to their own malicious site and get tokens for the user.
I think if I were designing something like this, I would want to know who I am building the identity solution for. So they would have to register their domain with me so I can add them to the callback list.