Vulnerability Description
The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.46. This is due to the use of a loose PHP comparison operator to validate OTP codes in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting a "true" OTP value.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/user-verification/trunk/includes/func
- https://plugins.trac.wordpress.org/browser/user-verification/trunk/templates/ema
- https://plugins.trac.wordpress.org/browser/user-verification/trunk/templates/ema
- https://plugins.trac.wordpress.org/changeset/3519113/user-verification
- https://www.wordfence.com/threat-intel/vulnerabilities/id/35b86488-8f68-4738-a9a
FAQ
What is CVE-2026-7458?
CVE-2026-7458 is a vulnerability with a CVSS score of 9.8 (CRITICAL). The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.46. This is due to the use of a loose PHP comparison operator...
How severe is CVE-2026-7458?
CVE-2026-7458 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-7458?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.