User Verification by PickPlugins Plugin for WordPress <= 2.0.46 — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/user-verification-by-pickplugins-plugin-for-wordpress--2.0.46/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioSat, 02 May 2026 05:16:01 +0000WordPress User Verification Plugin Authentication Bypass Vulnerabilityhttps://feed.craftedsignal.io/briefs/2026-05-wordpress-auth-bypass/Sat, 02 May 2026 05:16:01 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-wordpress-auth-bypass/The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in versions up to 2.0.46 due to a loose PHP comparison, allowing unauthenticated attackers to log in as any verified user by submitting a 'true' OTP value.The User Verification by PickPlugins plugin, a popular WordPress plugin, contains a critical authentication bypass vulnerability (CVE-2026-7458) affecting all versions up to and including 2.0.46. The flaw resides within the user_verification_form_wrap_process_otpLogin function, where a loose PHP comparison operator is used to validate OTP codes. This weakness allows unauthenticated attackers to bypass the OTP verification process and log in as any user with a verified email address, potentially gaining administrative access. Successful exploitation requires the attacker to submit the string “true” as the OTP value. This vulnerability poses a significant risk to WordPress sites using the affected plugin, potentially leading to complete site compromise.

Attack Chain

  1. An unauthenticated attacker identifies a WordPress site using a vulnerable version of the User Verification by PickPlugins plugin (<= 2.0.46).
  2. The attacker navigates to the OTP login form provided by the plugin.
  3. The attacker enters the email address of a target user, such as an administrator.
  4. The attacker intercepts the OTP request and instead of a numerical code, submits the string “true” as the OTP value.
  5. The vulnerable user_verification_form_wrap_process_otpLogin function processes the submitted OTP. Due to the loose PHP comparison (e.g., == instead of ===), the string “true” evaluates to true, bypassing the intended OTP validation.
  6. The plugin incorrectly authenticates the attacker as the targeted user.
  7. The attacker gains unauthorized access to the targeted user’s account, potentially gaining administrative privileges.
  8. The attacker can now perform actions such as modifying website content, installing malicious plugins, or exfiltrating sensitive data.

Impact

Successful exploitation of CVE-2026-7458 allows unauthenticated attackers to bypass the OTP verification mechanism and gain unauthorized access to any user account with a verified email address on a vulnerable WordPress site. This can lead to complete compromise of the affected WordPress site, enabling attackers to modify content, inject malicious code, steal sensitive data, or use the site for malicious purposes. Given the plugin’s popularity, this vulnerability could impact a large number of WordPress websites.

Recommendation

  • Upgrade the User Verification by PickPlugins plugin to the latest version (greater than 2.0.46) to patch CVE-2026-7458.
  • Monitor WordPress access logs for unusual login attempts or the presence of “true” as OTP values to identify potential exploitation attempts. Deploy the Detect Successful Authentication Bypass via True OTP Sigma rule.
  • Implement stricter input validation and sanitization for OTP codes to prevent similar bypass vulnerabilities.
]]>criticalthreatwordpressauthentication bypasscve-2026-7458