Description
Weak Authentication vulnerability in PickPlugins User Verification user-verification allows Authentication Abuse.This issue affects User Verification: from n/a through <= 2.0.45.
Published: 2026-03-25
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access via Verification Bypass
Action: Patch Now
AI Analysis

Impact

Weak authentication in the PickPlugins User Verification plugin allows an attacker to bypass the email verification process during user registration or login. This grants the attacker the ability to assume any account without needing to access the associated email address, leading to unauthorized access to content and administrative functions. The vulnerability is identified as a weak authentication flaw (CWE‑1390).

Affected Systems

The issue affects WordPress sites running the PickPlugins User Verification plugin through version 2.0.45. Any installation of this plugin within that version range is susceptible.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% suggests a low probability of widespread exploitation. The vulnerability is not listed in the CISA KEV catalog. Exploitation can likely be achieved from the web interface by providing forged credentials or manipulating the registration flow, making the attack vector remote over the internet. Administrators should treat this as a medium‑to‑high risk in environments where email verification is the primary gate for account creation.

Generated by OpenCVE AI on March 26, 2026 at 22:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the PickPlugins User Verification plugin to a version newer than 2.0.45.
  • Verify that email verification is properly enabled after the update.
  • Review the list of user accounts for potential unauthorized access.
  • Implement additional security controls, such as two‑factor authentication, to mitigate the impact of any remaining authentication weaknesses.

Generated by OpenCVE AI on March 26, 2026 at 22:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Pickplugins
Pickplugins user Verification
Wordpress
Wordpress wordpress
Vendors & Products Pickplugins
Pickplugins user Verification
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Weak Authentication vulnerability in PickPlugins User Verification user-verification allows Authentication Abuse.This issue affects User Verification: from n/a through <= 2.0.45.
Title WordPress User Verification plugin <= 2.0.45 - Email Verification Bypass vulnerability
Weaknesses CWE-1390
References

Subscriptions

Pickplugins User Verification
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T20:29:50.008Z

Reserved: 2026-03-12T11:12:00.510Z

Link: CVE-2026-32497

cve-icon Vulnrichment

Updated: 2026-03-26T20:29:10.476Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:17:01.533

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-32497

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:04Z

Weaknesses