Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTP-less OTP-less one tap Sign in otpless allows Reflected XSS.This issue affects OTP-less one tap Sign in: from n/a through <= 2.0.58.
Published: 2025-04-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an improper neutralization of user input during web page generation that allows an attacker to inject arbitrary scripts that execute in the browser of users who view the affected page. This reflected Cross‑Site Scripting can be used to steal session cookies, hijack accounts or perform phishing attacks. The weakness originates from the OTP‑less one tap Sign in plugin failing to sanitize query parameters before rendering them.

Affected Systems

All installations of the OTP‑less one tap Sign in plugin with a version number less than or equal to 2.0.58 are affected. The product is provided by the vendor OTP‑less, and no earlier baseline version specification is given.

Risk and Exploitability

The CVSS score of 7.1 indicates a moderate‑to‑high severity, while the EPSS score of less than 1% suggests that the probability of exploitation in the wild is currently low but not negligible. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an endpoint that reflects user‑controlled input, and an attacker can supply a crafted URL or form input to trigger the script. Typical attack vectors involve the attacker sending the victim a malicious link that contains the exploitation code.

Generated by OpenCVE AI on April 30, 2026 at 21:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OTP‑less one tap Sign in plugin to a version newer than 2.0.58, which contains the XSS fix.
  • If an upgrade is not immediately possible, remove or disable the plugin until a patched version is released to prevent the reflected XSS from being reachable.
  • As a temporary defensive measure, enable browser‑side XSS protection and enforce a strict Content Security Policy that disallows inline scripts and restricts script sources to reputable domains.

Generated by OpenCVE AI on April 30, 2026 at 21:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-11708 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTP-less OTP-less one tap Sign in allows Reflected XSS. This issue affects OTP-less one tap Sign in: from n/a through 2.0.58.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTP-less OTP-less one tap Sign in allows Reflected XSS. This issue affects OTP-less one tap Sign in: from n/a through 2.0.58. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTP-less OTP-less one tap Sign in otpless allows Reflected XSS.This issue affects OTP-less one tap Sign in: from n/a through <= 2.0.58.
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Thu, 17 Apr 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 17 Apr 2025 16:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in OTP-less OTP-less one tap Sign in allows Reflected XSS. This issue affects OTP-less one tap Sign in: from n/a through 2.0.58.
Title WordPress OTP-less one tap Sign in Plugin <= 2.0.58 - Reflected Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:25.693Z

Reserved: 2025-04-09T11:20:43.115Z

Link: CVE-2025-32622

cve-icon Vulnrichment

Updated: 2025-04-17T18:07:53.457Z

cve-icon NVD

Status : Deferred

Published: 2025-04-17T16:15:47.187

Modified: 2026-04-23T15:29:13.733

Link: CVE-2025-32622

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T22:00:08Z

Weaknesses