Is revealing the phone number during OTP verification process considered a vulnerability?

The primary attack method against text message OTP is to 'sim swap' and take over the target's phone number. If the site provided the full number in this scenario, they'd be giving the attacker exactly the information they need to break the security being used.

(To lift up comments: In general, more personal information is needed, if you're going to social engineer telecom staff into swapping the SIM. In some places and under some carriers, it's even harder than that, requiring ID to be presented in person. But there are also cases where nothing more than the phone number is required, even with enhanced protections in place, if the telecom staff are colluding with the attackers.)

This is not about a "vulnerability". This is about personally identifiable information (PII). It's the same reason why credit cards numbers are not displayed in full on sites either.

Anyone passing by your screen, cameras recording, etc, would see the info. And it's not necessary to show the whole number. It's just there as a reminder to the user.

If the full number were listed then I could visit your account, request a new password, and know your phone number. The last two digits are a tradeoff that permit you to know its (likely) your number without giving away your phone number to anybody who wants to view it on the website.