CVE-2025-3746 CRITICAL

CVE-2025-3746: OTP-less one tap Sign in 2.0.14 - 2.0.59 - Unauthenticated Arbitrary Email Update to Account Takeover/Privilege Escalation

Vendor Thedrifted
Product OTP-less one tap Sign in
Weakness CWE-862 · Missing authorization
Published May 2, 2025
Last update May 12, 2025

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The OTP-less one tap Sign in plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.14 to 2.0.59. This is due to the plugin not properly validating a user's identity prior to updating their details, like email. This makes it possible for unauthenticated attackers to change arbitrary users' email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. Additionally, the plugin returns authentication cookies in the response, which can be used to access the account directly.

Explanation of Vulnerability in Simple Terms

02Summary

The OTP-less one tap Sign in plugin versions 2.0.14 through 2.0.59 lack proper authorization checks, allowing unauthenticated attackers to read sensitive data, modify site content, and disrupt service. No user interaction or special network access is required. Sites running affected versions should update immediately.

What an attacker can do

03Attacker Capabilities

Read sensitive data, modify content, and disrupt the site without logging in.

Potential impact on your site

04Site Impact

Attackers can access user data, alter site content, and cause downtime without any credentials.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

May 2, 2025 CVE published
May 12, 2025 Record updated