What is the severity of CVE-2025-3746?

CVE-2025-3746 is classified as a high severity vulnerability due to the potential for privilege escalation.

How do I fix CVE-2025-3746?

To fix CVE-2025-3746, update the OTP-less One Tap Sign-in plugin to the latest version beyond 2.0.59.

What versions are affected by CVE-2025-3746?

CVE-2025-3746 affects versions 2.0.14 to 2.0.59 of the OTP-less One Tap Sign-in plugin.

What kind of attack does CVE-2025-3746 facilitate?

CVE-2025-3746 facilitates account takeover attacks by allowing unauthorized users to change account details.

Is CVE-2025-3746 specific to WordPress?

Yes, CVE-2025-3746 specifically affects the OTP-less One Tap Sign-in plugin for WordPress.

Vulnerability/
CVE-2025-3746

critical

9.8

CWE

862

EPSS

0.112%

2/5/2025

CVE-2025-3746: OTP-less one tap Sign in 2.0.14 - 2.0.59 - Unauthenticated Arbitrary Email Update to Account Takeover/Privilege Escalation

First published: Fri May 02 2025(Updated: )

The OTP-less one tap Sign in plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.14 to 2.0.59. This is due to the plugin not properly validating a user's identity prior to updating their details, like email. This makes it possible for unauthenticated attackers to change arbitrary users' email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. Additionally, the plugin returns authentication cookies in the response, which can be used to access the account directly.

Credit: security@wordfence.com

Affected Software	Affected Version	How to fix
WordPress OTP-less One Tap Sign In	>=2.0.14<=2.0.59

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2025-3746?
CVE-2025-3746 is classified as a high severity vulnerability due to the potential for privilege escalation.
How do I fix CVE-2025-3746?
To fix CVE-2025-3746, update the OTP-less One Tap Sign-in plugin to the latest version beyond 2.0.59.
What versions are affected by CVE-2025-3746?
CVE-2025-3746 affects versions 2.0.14 to 2.0.59 of the OTP-less One Tap Sign-in plugin.
What kind of attack does CVE-2025-3746 facilitate?
CVE-2025-3746 facilitates account takeover attacks by allowing unauthorized users to change account details.
Is CVE-2025-3746 specific to WordPress?
Yes, CVE-2025-3746 specifically affects the OTP-less One Tap Sign-in plugin for WordPress.

collector/mitre-cve
source/MITRE
agent/weakness
agent/title
agent/type
agent/references
agent/description
agent/first-publish-date
agent/guess-ai
agent/software-canonical-lookup
agent/software-canonical-lookup-request
agent/softwarecombine
agent/severity
agent/author
agent/event
collector/nvd-api
source/NVD
agent/last-modified-date
collector/epss-latest
source/FIRST
agent/source
agent/tags
agent/epss
vendor/wordpress
canonical/wordpress otp-less one tap sign in

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co

By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.