CVE-2025-3746: 
WordPress vulnerability analysis and mitigation

The OTP-less one tap Sign in plugin for WordPress contains a critical privilege escalation vulnerability (CVE-2025-3746) affecting versions 2.0.14 through 2.0.59. The vulnerability was discovered and disclosed on May 1, 2025, impacting WordPress installations using the affected plugin versions (NVD, Wiz).

The vulnerability stems from improper user identity validation prior to updating user details, particularly email addresses. The plugin's authentication mechanism fails to properly verify user identity before allowing changes to critical user information. The severity is rated as CRITICAL with a CVSS v3.1 Base Score of 9.8 (Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). Additionally, the plugin exposes authentication cookies in responses, which can be directly used for account access (NVD).

The vulnerability allows unauthenticated attackers to modify arbitrary users' email addresses, including those of administrators. Once an attacker changes a user's email address, they can leverage this to initiate password resets and gain unauthorized access to accounts. The exposure of authentication cookies further compounds the risk by providing direct account access capabilities (Wiz).

Website administrators running affected versions of the OTP-less one tap Sign in plugin (versions 2.0.14 to 2.0.59) should immediately update to a patched version when available. In the meantime, it is recommended to disable the plugin if possible to prevent potential exploitation (NVD).