The plugin returns generated OTP codes for users to use when using the logging in via phone number feature, allowing unauthenticated users to retrieve them for arbitrary accounts and be able to login as any user, including administrator granted they know the related phone number.