CVE-2025-3746 in OTP-less One Tap Sign in Pluginالمعلومات

الملخص

بحسب MITRE • 02/05/2025

The OTP-less one tap Sign in plugin for WordPress is vulnerable to privilege escalation via account takeover in versions 2.0.14 to 2.0.59. This is due to the plugin not properly validating a user's identity prior to updating their details, like email. This makes it possible for unauthenticated attackers to change arbitrary users' email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. Additionally, the plugin returns authentication cookies in the response, which can be used to access the account directly.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

حجز

16/04/2025

إفشاء

02/05/2025

الاعتدال

تمت الموافقة

إدخال

VDB-306901

EPSS

0.00477

KEV

لا

النشاطات

منخفض جدًا

القطاع

Hostingprovider

المصادر

Do you know our Splunk app?

Download it now for free!