A popular plugin for WordPress that allows users to sign in with just one click is at risk for security issues. This plugin, called OTP-less one tap Sign in, has a vulnerability in versions 2.0.14 to 2.0.59 which may allow unauthorized individuals to take control of a user’s account. This is because the plugin does not properly check a user’s identity before allowing changes to be made, such as changing their email address. As a result, attackers who are not logged in can change any user’s email, including administrators, and then use that to reset the password and gain access. Furthermore, the plugin also sends authentication cookies in its response, which can be used to directly access the account without needing to sign in.