Description
The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.44. This is due to the plugin not properly validating that an OTP was generated before comparing it to user input in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting an empty OTP value.
Published: 2025-12-05
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Account takeover via authentication bypass
Action: Immediate Patch
AI Analysis

Impact

The User Verification plugin for WordPress is vulnerable to an authentication bypass that allows attackers to log in as any user with a verified email address, including administrators, by submitting an empty one‑time password. This flaw arises because the plugin does not verify that an OTP has actually been generated before comparing it to the input. As a result, the system accepts the empty value and grants access, effectively compromising the confidentiality and integrity of affected accounts.

Affected Systems

Any WordPress installation that uses the PickPlugins User Verification plugin version 2.0.44 or earlier is affected. The vulnerability exists in the user_verification_form_wrap_process_otpLogin function, and any site that enables OTP, magic login, or passwordless login features via this plugin is at risk.

Risk and Exploitability

The CVSS score of 9.8 indicates a critical severity, while the EPSS score of less than 1% suggests a low current exploitation probability. The vulnerability is not listed in CISA's KEV catalog, but its high severity means that once exploited it would allow full account takeover. The likely attack vector is a web‑based form submission with an empty OTP field, requiring no special privileges or sophisticated techniques beyond standard HTTP requests.

Generated by OpenCVE AI on April 22, 2026 at 12:17 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the User Verification plugin to the latest version that implements proper OTP validation.
  • If an update is not yet available, temporarily disable the OTP login feature or deactivate the plugin until a patch is released.
  • Monitor authentication logs for suspicious activity and enforce stricter account recovery procedures to detect any compromised accounts early.

Generated by OpenCVE AI on April 22, 2026 at 12:17 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.39. This is due to the plugin not properly validating that an OTP was generated before comparing it to user input in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting an empty OTP value. The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.44. This is due to the plugin not properly validating that an OTP was generated before comparing it to user input in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting an empty OTP value.
Title Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification <= 2.0.39 - Authentication Bypass to Account Takeover Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification <= 2.0.44 - Authentication Bypass to Account Takeover
References

Fri, 05 Dec 2025 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Pickplugins
Pickplugins user Verification
Wordpress
Wordpress wordpress
Vendors & Products Pickplugins
Pickplugins user Verification
Wordpress
Wordpress wordpress

Fri, 05 Dec 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Dec 2025 06:30:00 +0000

Type Values Removed Values Added
Description The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.39. This is due to the plugin not properly validating that an OTP was generated before comparing it to user input in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting an empty OTP value.
Title Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification <= 2.0.39 - Authentication Bypass to Account Takeover
Weaknesses CWE-287
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Pickplugins User Verification
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:06:06.262Z

Reserved: 2025-10-27T21:22:35.296Z

Link: CVE-2025-12374

cve-icon Vulnrichment

Updated: 2025-12-05T13:42:09.734Z

cve-icon NVD

Status : Deferred

Published: 2025-12-05T07:16:11.117

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12374

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:30:16Z

Weaknesses