- Description
- The OTP-less one tap Sign in plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.14 to 2.0.59. This is due to the plugin not properly validating a user's identity prior to updating their details, like email. This makes it possible for unauthenticated attackers to change arbitrary users' email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. Additionally, the plugin returns authentication cookies in the response, which can be used to access the account directly.
- Source
- security@wordfence.com
- NVD status
- Awaiting Analysis
CVSS 3.1
- Type
- Primary
- Base score
- 9.8
- Impact score
- 5.9
- Exploitability score
- 3.9
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Severity
- CRITICAL
- security@wordfence.com
- CWE-862
- Hype score
- Not currently trending
⚠️ CVE-2025-3746 🖥️ WordPress OTP-less one tap signin plugin 💬 vulnerable to privilege escalation via account takeover 🔗 https://t.co/xBsTRhFKZz #ransomNews #vulnerabilities #security #CVE https://t.co/HztVIxJeXu
@ransomnews
5 May 2025
235 Impressions
0 Retweets
1 Like
0 Bookmarks
0 Replies
1 Quote
🚨 CVE-2025-3746 ⚠️🔴 CRITICAL (9.8) 🏢 thedrifted - OTP-less one tap Sign in 🏗️ 2.0.14 🔗 https://t.co/HpqLb5PLCf 🔗 https://t.co/Ims4vuab7s #CyberCron #VulnAlert #InfoSec https://t.co/pAyaQ9NqsY
@cybercronai
2 May 2025
21 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
🚨 Critical admin takeover vulnerability found in 'One Tap Sign-In' WordPress plugin (CVE-2025-3746, CVSS 9.8). Exploitable without credentials. Update or disable now. Details 👉 https://t.co/hQYA7lxMG4 #WordPress #CVE20253746 #CyberSecurity
@threatsbank
2 May 2025
3 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-3746 The OTP-less one tap Sign in plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.14 to 2.0.59. This is due to the plugin not… https://t.co/xnN5aSPzsa
@CVEnew
2 May 2025
116 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
�� CVE-2025-3746 - WordPress - HIGH 🚨 🗓️ Date published 2025-05-02 03:15:20 UTC #WordPress #CyberSecurity #InfoSec #Vulnerability #TechNews https://t.co/VblKci4hJ2
@vulns_space
2 May 2025
27 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[CVE-2025-3746: CRITICAL] WordPress OTP-less one tap Sign in plugin version 2.0.14 to 2.0.59 allows account takeover due to inadequate identity validation, enabling attackers to change emails and access accounts.#cve,CVE-2025-3746,#cybersecurity https://t.co/l1Bl1kG7yF
@CveFindCom
2 May 2025
40 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes