Perceptive Security
SOC/SIEM Consultancy
The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.46. This is due to th…
Published:
1 mei 2026 om 22:00:00
Alert date:
2 mei 2026 om 06:01:06
Source:
nvd.nist.gov
Web Technologies
The User Verification by PickPlugins plugin for WordPress contains an authentication bypass vulnerability affecting all versions up to and including 2.0.46. The vulnerability stems from the use of a loose PHP comparison operator to validate OTP codes in the user_verification_form_wrap_process_otpLogin function. This flaw allows unauthenticated attackers to bypass authentication and log in as any user with a verified email address, including administrators, by simply submitting a 'true' OTP value. The vulnerability poses a critical risk as it enables complete account takeover of privileged users through a trivial exploit.
Technical details
Mitigation steps:
Affected products:
User Verification by PickPlugins WordPress plugin
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-7458
https://plugins.trac.wordpress.org/browser/user-verification/trunk/includes/functions-rest.php%23L234?rev=3461175
https://plugins.trac.wordpress.org/browser/user-verification/trunk/templates/email-otp-login-form/hook.php%23L164?rev=3461175
https://plugins.trac.wordpress.org/browser/user-verification/trunk/templates/email-otp-login-form/index.php%23L71?rev=3461175
https://plugins.trac.wordpress.org/changeset/3519113/user-verification
https://www.wordfence.com/threat-intel/vulnerabilities/id/35b86488-8f68-4738-a9a8-76d0b7976165?source=cve
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.