Critical Account Takeover Vulnerability in WordPress (CVE-2025-3746)

Published On: May 05, 2025 17:12

Advisory No: TZCERT-SA-25-0093

Source: Wordfence

Software Affected: otpless

Overview

WordPress is vulnerable to a critical vulnerability. Exploitation of this vulnerability may allow an unauthenticated attacker to gain access to the user account.

Description

WordPress plugin OTP-less one tap Sign in is affected by the vulnerability tracked as CVE-2025-3746 with a CVSS score of 9.8. The plugins are vulnerable due to the improper validation of the user's identity prior to updating their details. Successful exploitation of this vulnerability allows the attacker to change arbitrary users' email addresses, including administrators, and leverage that to reset the user's password and gain access to their account.

Impact

Successful exploitation of these vulnerabilities may allow an attacker to gain escalated privileges.

Solution

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References

1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/otpless/otp-less-one-tap-sign-in-2014-2059-unauthenticated-arbitrary-email-update-to-account-takeoverprivilege-escalation