CVE-2025-3746

Name of the Vulnerable Software and Affected Versions OTP-less one tap Sign in plugin for WordPress versions 2.0.14 through 2.0.59

Description The issue is due to the plugin not properly validating a user's identity prior to updating their details, like email. This makes it possible for unauthenticated attackers to change arbitrary users' email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. Additionally, the plugin returns authentication cookies in the response, which can be used to access the account directly.

Recommendations For versions 2.0.14 through 2.0.59, update the plugin to a version that properly validates user identity prior to updating user details. As a temporary workaround, consider disabling the plugin until a patch is available. Restrict access to the plugin's functionality to minimize the risk of exploitation. Avoid using the plugin's features that allow email address updates until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.