CVE-2026-7458
Deferred Deferred - Pending Action
Authentication Bypass in User Verification WordPress Plugin

Publication date: 2026-05-02

Last updated on: 2026-05-05

Assigner: Wordfence

Description
The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.46. This is due to the use of a loose PHP comparison operator to validate OTP codes in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting a "true" OTP value.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-02
Last Modified
2026-05-05
Generated
2026-06-16
AI Q&A
2026-05-02
EPSS Evaluated
2026-06-15
NVD
CVE-2026-7458
EUVD
EUVD-2026-26737
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
pickplugins user_verification to 2.0.46 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The User Verification by PickPlugins plugin for WordPress has a vulnerability in all versions up to and including 2.0.46. This vulnerability is an authentication bypass caused by the use of a loose PHP comparison operator when validating OTP (One-Time Password) codes in the function "user_verification_form_wrap_process_otpLogin."

Because of this loose comparison, an unauthenticated attacker can bypass normal login procedures and log in as any user who has a verified email address, including administrators, by submitting a "true" OTP value.

Impact Analysis

This vulnerability can have severe impacts because it allows attackers to bypass authentication without valid credentials.

  • Attackers can gain unauthorized access to user accounts, including those with administrative privileges.
  • Once logged in as an administrator, attackers can control the WordPress site, modify content, steal data, or install malicious code.
  • The vulnerability has a high severity score (CVSS 9.8), indicating critical impact on confidentiality, integrity, and availability.
Compliance Impact

This vulnerability allows unauthenticated attackers to bypass authentication and log in as any user with a verified email address, including administrators. Such unauthorized access can lead to exposure, modification, or deletion of sensitive data.

Consequently, this poses significant risks to compliance with common standards and regulations such as GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information.

Failure to prevent unauthorized access due to this vulnerability could result in violations of these regulations, potentially leading to legal penalties, data breaches, and loss of trust.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-7458. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart