CVE-2026-7458: WordPress Plugin Auth Bypass Exposes Admins
A critical authentication bypass vulnerability, identified as CVE-2026-7458, affects the User Verification by PickPlugins plugin for WordPress. All versions up to and including 2.0.46 are vulnerable. The National Vulnerability Database reports this is due to a loose PHP comparison operator used to validate OTP codes within the user_verification_form_wrap_process_otpLogin function.
This flaw allows unauthenticated attackers to log in as any user with a verified email address by simply submitting a “true” OTP value. This includes high-privilege accounts like administrators. The CVSSv3.1 score of 9.8 (CRITICAL) underscores the severity, indicating a complete compromise of confidentiality, integrity, and availability is possible with no specialized access or user interaction required.
For defenders, this is a straightforward, high-impact threat. An attacker doesn’t need to brute-force or guess. They just need to know a valid email address and bypass the OTP with a simple logical bypass. This is the kind of vulnerability that gets weaponized quickly and broadly, given the ubiquity of WordPress.
What This Means For You
- If your organization uses the User Verification by PickPlugins WordPress plugin, you are exposed. Immediately verify your plugin version. If it's 2.0.46 or earlier, disable it or apply a patch the moment one is available. Audit your WordPress access logs for any suspicious logins to administrative accounts or any activity from unverified sources.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-7458: WordPress User Verification Plugin Auth Bypass
title: CVE-2026-7458: WordPress User Verification Plugin Auth Bypass
id: scw-2026-05-02-ai-1
status: experimental
level: critical
description: |
Detects the specific POST request to the 'user_verification_form_wrap_process_otpLogin' function within the User Verification by PickPlugins WordPress plugin. This function is vulnerable to an authentication bypass due to loose PHP comparison, allowing unauthenticated attackers to submit a 'true' OTP value and log in as any user, including administrators.
author: SCW Feed Engine (AI-generated)
date: 2026-05-02
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-7458/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
uri|contains:
- '/wp-admin/'
cs-uri-query|contains:
- 'action=user_verification_form_wrap_process_otpLogin'
cs-method|exact:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-7458 | Auth Bypass | User Verification by PickPlugins plugin for WordPress |
| CVE-2026-7458 | Auth Bypass | Versions up to, and including, 2.0.46 |
| CVE-2026-7458 | Auth Bypass | Vulnerable function: user_verification_form_wrap_process_otpLogin |
| CVE-2026-7458 | Auth Bypass | Attack vector: Submitting a 'true' OTP value due to loose PHP comparison |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 02, 2026 at 08:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
WordPress Profile Builder Pro: Unauthenticated PHP Object Injection Risks Site Takeover
CVE-2026-7647 — The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is...
PixelYourSite Pro Plugin SSRF Vulnerability (CVE-2026-7049)
CVE-2026-7049 — The PixelYourSite Pro – Your smart PIXEL (TAG) Manager plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to,...
CVE-2026-6916 — Cross-Site Scripting (XSS)
CVE-2026-6916 — The Jeg Kit for Elementor – Powerful Addons for Elementor, Widgets & Templates for WordPress plugin for WordPress is vulnerable to Stored Cross-Site...