Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
3DescriptionCVE.org
Weak Authentication vulnerability in PickPlugins User Verification user-verification allows Authentication Abuse.This issue affects User Verification: from n/a through <= 2.0.45.
AnalysisAI
A weak authentication vulnerability in the PickPlugins User Verification WordPress plugin (versions up to 2.0.45) allows attackers to bypass email verification mechanisms, enabling authentication abuse and unauthorized account creation or takeover. This vulnerability has been identified by Patchstack as an email verification bypass issue affecting the user verification functionality, potentially exposing sites using this plugin to account compromise and unauthorized access. The practical impact depends on how the plugin integrates with site authentication workflows, but successful exploitation could allow attackers to register accounts, access user data, or impersonate legitimate users.
Technical ContextAI
The vulnerability resides in the PickPlugins User Verification plugin (identified via CPE cpe:2.3:a:pickplugins:user_verification:*:*:*:*:*:*:*:*), which implements email verification as a gating mechanism for user authentication and account creation. The root cause is classified under CWE-1390, which relates to weak authentication mechanisms that fail to properly validate user identity. Specifically, the plugin's email verification logic contains flaws that permit attackers to circumvent the intended verification step, likely through inadequate token validation, missing CSRF protections, timing window exploitation, or insufficient entropy in verification tokens. This allows attackers to establish authenticated sessions without completing the legitimate email verification workflow that should confirm legitimate ownership of the email address.
RemediationAI
Immediately upgrade PickPlugins User Verification to a version greater than 2.0.45 (verify availability of patched version from the vendor or Patchstack advisory). If a patched version is not yet available, disable email verification in the plugin configuration as a temporary measure, or consider deactivating the plugin entirely until a fix is released. Additionally, implement application-level compensating controls such as enforcing CAPTCHA on registration, requiring manual admin approval for new accounts, and monitoring authentication logs for suspicious account creation patterns. Review recently created user accounts for suspicious activity and consider resetting passwords for any accounts created since the plugin was deployed. Subscribe to Patchstack security alerts and monitor the WordPress plugin repository for version updates.
Same weakness CWE-1390 – Weak Authentication
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15843