CVE-2025-12374

Name of the Vulnerable Software and Affected Versions Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress versions up to and including 2.0.39

Description The plugin does not properly validate that an One-Time Password (OTP) was generated before comparing it to user input within the user verification form wrap process otpLogin function. This allows unauthenticated attackers to log in as any user with a verified email address, including administrators, by submitting an empty OTP value.

Recommendations Versions up to and including 2.0.39 should be updated to a newer, fixed version when available. As a temporary workaround, consider disabling the plugin until a patch is available.