cleantalk
Vulnerabilities and Security Researches

OTP-less one tap Sign in, CVE-2025-3746

CVE, Research URL

CVE-2025-3746

Home page URL

Security reports for OTP-less one tap Sign in

Application

OTP-less one tap Sign in

Published on
May 02, 2025
Research Description
The OTP-less one tap Sign in plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.14 to 2.0.59. This is due to the plugin not properly validating a user's identity prior to updating their details, like email. This makes it possible for unauthenticated attackers to change arbitrary users' email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. Additionally, the plugin returns authentication cookies in the response, which can be used to access the account directly.
Affected versions
Min 2.0.14, max 2.0.59.
Status
vulnerable
Previous vulnerability researches
OTP-less one tap Sign in (CVE-2025-32622) , Apr 18, 2025
OTP-less one tap Sign in (CVE-2025-3746) , May 04, 2025
New vulnerability
OOPSpam Anti-Spam (CVE-2026-32544) , Mar 31, 2026
NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor (CVE-2026-27042) , Mar 31, 2026
The Conference (CVE-2026-32335) , Mar 31, 2026
WP Booking System – Booking Calendar (CVE-2025-68515) , Mar 31, 2026
UPI QR Code Payment Gateway for WooCommerce (CVE-2025-67969) , Mar 31, 2026