Description
The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.46. This is due to the use of a loose PHP comparison operator to validate OTP codes in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting a "true" OTP value.
Published: 2026-05-02
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The User Verification plugin for WordPress allows unauthenticated attackers to bypass authentication by exploiting a loose PHP comparison operator used to validate one‑time passwords. An attacker can simply submit the string "true" as the OTP value, causing the comparison to succeed for any verified email address, and receive the privileges of that user.

Affected Systems

WordPress sites running the PickPlugins User Verification plugin, all builds up to and including version 2.0.46, are vulnerable. The issue resides in the REST API endpoint that processes OTP submissions.

Risk and Exploitability

With a CVSS score of 9.8, this flaw is considered critical. The EPSS score is unavailable and the vulnerability is not listed in CISA KEV, but the lack of a verification requirement makes the attack straightforward and practical for remote actors. The likely attack vector is a remote, unauthenticated request to the OTP verification endpoint, where the attacker successfully logs in as any user with a verified email address.

Generated by OpenCVE AI on May 2, 2026 at 06:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the User Verification plugin to a version newer than 2.0.46, which removes the loose comparison vulnerability.
  • If an immediate upgrade is not possible, disable or uninstall the plugin to eliminate the exposed endpoint.
  • As a temporary workaround, manually edit the file that contains the otpLogin function to replace the loose comparison with a strict comparison (===) or to otherwise validate the OTP against the stored value before accepting the login.

Generated by OpenCVE AI on May 2, 2026 at 06:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Pickplugins
Pickplugins user Verification By Pickplugins
Wordpress
Wordpress wordpress
Vendors & Products Pickplugins
Pickplugins user Verification By Pickplugins
Wordpress
Wordpress wordpress

Mon, 04 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sat, 02 May 2026 05:15:00 +0000

Type Values Removed Values Added
Description The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.46. This is due to the use of a loose PHP comparison operator to validate OTP codes in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting a "true" OTP value.
Title User Verification by PickPlugins <= 2.0.46 - Unauthenticated Authentication Bypass via OTP Verification REST API Endpoint
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Pickplugins User Verification By Pickplugins
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-04T14:54:08.894Z

Reserved: 2026-04-29T17:39:00.757Z

Link: CVE-2026-7458

cve-icon Vulnrichment

Updated: 2026-05-04T14:53:58.919Z

cve-icon NVD

Status : Received

Published: 2026-05-02T05:16:01.420

Modified: 2026-05-02T05:16:01.420

Link: CVE-2026-7458

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T16:07:10Z

Weaknesses