Skip to main content

User Verification by PickPlugins EUVDEUVD-2026-26737

| CVE-2026-7458 CRITICAL
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-05-02 security@wordfence.com
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Analysis Generated
May 02, 2026 - 05:31 vuln.today
EUVD ID Assigned
May 02, 2026 - 05:22 euvd
EUVD-2026-26737
Analysis Generated
May 02, 2026 - 05:22 vuln.today
CVE Published
May 02, 2026 - 05:16 nvd
CRITICAL 9.8

DescriptionCVE.org

The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.46. This is due to the use of a loose PHP comparison operator to validate OTP codes in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting a "true" OTP value.

AnalysisAI

Authentication bypass in User Verification by PickPlugins for WordPress allows remote unauthenticated attackers to log in as any user with a verified email - including administrators - by submitting the string 'true' as the OTP code. The vulnerability stems from a loose PHP comparison operator (==) in the OTP validation logic, which treats the boolean true as equal to any non-zero numeric OTP value. With CVSS 9.8 (AV:N/AC:L/PR:N/UI:N) and EPSS data unavailable, this represents complete system compromise risk for WordPress sites running vulnerable versions (≤2.0.46). Fixed in version 2.0.47 per Wordfence advisory and WordPress plugin repository changeset 3519113.

Technical ContextAI

This vulnerability exploits PHP's loose comparison semantics ( operator) versus strict comparison (=). When validating OTP codes, the affected function user_verification_form_wrap_process_otpLogin uses a loose comparison that coerces types before evaluation. In PHP, the boolean true evaluates as equal to any non-zero integer when using , so submitting the string 'true' as an OTP bypasses validation against legitimate numeric codes. This is a textbook CWE-288 (Authentication Bypass Using an Alternate Path or Channel) combined with CWE-1023 (Incomplete Comparison with Missing Factors). The vulnerability exists across three template files in the email-otp-login-form feature and the REST API endpoint in functions-rest.php. WordPress plugins using OTP-based authentication must implement strict type checking (=) and validate input type before comparison to prevent type juggling attacks.

RemediationAI

Immediately update User Verification by PickPlugins to version 2.0.47 or later through the WordPress admin dashboard (Plugins → Updates) or manually download from the WordPress plugin repository. The fix (changeset 3519113) replaces loose PHP comparison operators with strict type-checking equivalents in OTP validation logic. After updating, review WordPress admin user accounts and access logs for suspicious authentication events since plugin installation - check for logins from unexpected IP addresses or geographic locations, particularly those coinciding with OTP login attempts. As a temporary compensating control if immediate patching is not feasible, disable the email OTP login feature via plugin settings or deactivate the entire plugin until patching is complete. Note that disabling OTP login will force users back to password-based authentication, which may require communication to user base. No .htaccess rules or firewall configurations can effectively block this vulnerability since the flaw is in application logic, not network-accessible endpoints. Full plugin deactivation is the only reliable pre-patch mitigation, accepting the trade-off of lost OTP authentication functionality.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

EUVD-2026-26737 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy