User Verification by PickPlugins < 2.0.47 – Unauthenticated Authentication Bypass via OTP Verification | CVE 2026-7458

Description

The plugin is vulnerable to authentication bypass due to the use of a loose PHP comparison operator to validate OTP codes in the user_verification_form_wrap_process_otpLogin function, allowing unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting a "true" OTP value.

Proof of Concept

The PoC will be displayed once the issue has been remediated.

Affects Plugins

user-verification

Fixed in 2.0.47

References

CVE

CVE-2026-7458

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/35b86488-8f68-4738-a9a8-76d0b7976165

Classification

Type

AUTHBYPASS

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-287

CVSS

9.8 (critical)

Miscellaneous

Original Researcher

kai63001

Verified

Yes

WPVDB ID

25dcc4f5-944e-453b-b684-d5416a0546f7

Timeline

Publicly Published

2026-05-01 (about 1 month ago)

Added

2026-05-04 (about 1 month ago)

Last Updated

2026-06-09 (about 8 minutes ago)

Other

Published

Title

Published

2013-03-24

Title

Backupbuddy - importbuddy.php Direct Request Remote Backup File Disclosure

Published

2024-05-07

Title

Social Connect <= 1.2 - Authentication Bypass

Published

2013-03-24

Title

Backupbuddy - importbuddy.php step Parameter Manipulation Authentication Bypass

Published

2025-05-29

Title

Browse As <= 0.2 - Subscriber+ Authentication Bypass via Cookie

Published

2024-11-04

Title

Social Login - WordPress / WooCommerce Plugin < 2.7.8 - Authentication Bypass