CVE-2026-7458:
Authentication bypass vulnerability in the User Verification by PickPlugins WordPress plugin (versions up to and including 2.0.46) allows unauthenticated attackers to log in as any user, including administrators, by exploiting a loose PHP comparison in OTP validation.
Score
A numerical rating that indicates how dangerous this vulnerability is.
9.8Critical- Published Date:May 2, 2026
- CISA KEV Date:*No Data*
- Industries Affected:20
Threat Predictions
- EPSS Score:0.1
- EPSS Percentile:20%
Exploitability
- Score:3.9
- Attack Vector:NETWORK
- Attack Complexity:LOW
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
Authentication bypass vulnerability in the User Verification by PickPlugins WordPress plugin (versions up to and including 2.0.46) allows unauthenticated attackers to log in as any user, including administrators, by exploiting a loose PHP comparison in OTP validation.
Overview
The User Verification by PickPlugins WordPress plugin contains a critical authentication bypass vulnerability stemming from improper use of PHP's loose comparison operator during OTP login validation. In PHP, loose comparisons using `==` are subject to type coercion, meaning that the string or value `"true"` can compare as equal to a valid OTP numeric code under certain conditions. The affected function `user_verification_form_wrap_process_otpLogin` fails to enforce strict type checking, allowing any unauthenticated attacker to submit a crafted OTP value of "true" and gain immediate authenticated access as any user with a verified email address on the site, including site administrators. This vulnerability (CWE-288: Authentication Bypass Using an Alternate Path or Channel) is remotely exploitable over the network with low attack complexity and no prerequisites, making it trivial to exploit at scale.
Remediation
- It is strongly recommended that all WordPress site administrators using the User Verification by PickPlugins plugin update to a version later than 2.0.46 immediately, as a patch has been issued in changeset 3519113. The fix addresses the loose comparison operator by replacing it with a strict PHP comparison (`===`) to ensure proper type-safe validation of OTP codes. Until the update can be applied, administrators should consider temporarily disabling the OTP login functionality or the plugin entirely to reduce exposure. Additionally, administrators should audit recent login activity for signs of unauthorized access and reset credentials for any accounts that may have been compromised.
References
- - [Wordfence Vulnerability Intelligence – CVE-2026-7458](https://www.wordfence.com/threat-intel/vulnerabilities/id/35b86488-8f68-4738-a9a8-76d0b7976165?source=cve)
- - [WordPress Plugin Changeset 3519113 – User Verification Patch](https://plugins.trac.wordpress.org/changeset/3519113/user-verification)
- - [Vulnerable Code – functions-rest.php Line 234](https://plugins.trac.wordpress.org/browser/user-verification/trunk/includes/functions-rest.php%23L234?rev=3461175)
- - [Vulnerable Code – hook.php Line 164](https://plugins.trac.wordpress.org/browser/user-verification/trunk/templates/email-otp-login-form/hook.php%23L164?rev=3461175)
- - [Vulnerable Code – index.php Line 71](https://plugins.trac.wordpress.org/browser/user-verification/trunk/templates/email-otp-login-form/index.php%23L71?rev=3461175)
- - [CWE-288: Authentication Bypass Using an Alternate Path or Channel](https://cwe.mitre.org/data/definitions/288.html)
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
