CVE-2026-7458 Overview
CVE-2026-7458 is an authentication bypass vulnerability in the User Verification by PickPlugins plugin for WordPress. The flaw affects all versions up to and including 2.0.46. The vulnerability resides in the user_verification_form_wrap_process_otpLogin function, which uses a loose PHP comparison operator to validate one-time password (OTP) codes. Unauthenticated attackers can submit a true OTP value to log in as any user with a verified email address, including administrators. The issue is classified under CWE-288: Authentication Bypass Using an Alternate Path or Channel.
Critical Impact
Unauthenticated attackers can take over administrator accounts on affected WordPress sites by exploiting a loose-comparison flaw in OTP validation, leading to full site compromise.
Affected Products
- User Verification by PickPlugins (WordPress plugin) versions ≤ 2.0.46
- WordPress sites with the plugin installed and email-OTP login enabled
- Sites where verified user accounts exist with administrative privileges
Discovery Timeline
- 2026-05-02 - CVE-2026-7458 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-7458
Vulnerability Analysis
The User Verification plugin implements an email-based OTP login flow. The server-side handler user_verification_form_wrap_process_otpLogin compares the user-supplied OTP against the expected value using PHP's loose equality operator (==) instead of strict equality (===). PHP's loose comparison performs type juggling, where the boolean value true is treated as equal to many non-empty strings and non-zero numbers.
An attacker who supplies a request body with the OTP parameter set to the boolean true (for example, via a JSON payload) causes the comparison to evaluate as successful regardless of the real OTP value. The handler then issues an authenticated session for the targeted account. The plugin source involved spans includes/functions-rest.php, templates/email-otp-login-form/hook.php, and templates/email-otp-login-form/index.php.
Root Cause
The root cause is improper OTP validation logic. Using == instead of === allows PHP type coercion to bypass the secret-knowledge check. The handler also lacks rate limiting and brute-force protection on the OTP submission endpoint, increasing the attack surface. See the Wordfence Vulnerability Analysis for detailed write-up.
Attack Vector
Exploitation occurs over the network without authentication or user interaction. An attacker identifies an email address belonging to a verified user, typically an administrator, and submits a crafted REST or form request to the OTP login endpoint with the OTP value set to boolean true. The server returns a valid authenticated session, granting full account takeover. Reference patched code is available in the WordPress User Verification Changeset 3519113.
Detection Methods for CVE-2026-7458
Indicators of Compromise
- POST or REST requests to OTP login endpoints containing JSON payloads where the otp field is the boolean literal true rather than a numeric or string value.
- Successful WordPress administrator logins lacking a corresponding preceding OTP request, or originating from previously unseen IP addresses.
- Creation of new administrator accounts, plugin uploads, or modifications to wp-options shortly after suspicious OTP login attempts.
Detection Strategies
- Inspect WordPress access logs for requests to user-verification REST routes and flag payloads containing "otp":true or non-string OTP types.
- Correlate authentication events with the source IP, user agent, and time-of-day baseline for privileged accounts.
- Deploy a web application firewall rule that rejects OTP submissions where the parameter is not a numeric string of expected length.
Monitoring Recommendations
- Monitor administrator session creation events and alert on logins that bypass the standard wp-login.php flow.
- Track plugin and theme file integrity to detect post-compromise persistence such as backdoored PHP files.
- Review WordPress audit logs daily for privilege changes, user role modifications, and new admin user creation.
How to Mitigate CVE-2026-7458
Immediate Actions Required
- Update the User Verification by PickPlugins plugin to a version newer than 2.0.46 that incorporates the fix from changeset 3519113.
- If an update is not immediately possible, deactivate and remove the plugin until a patched version can be deployed.
- Force a password reset for all administrator and editor accounts and invalidate active sessions.
Patch Information
The vendor addressed the issue in the WordPress plugin repository under changeset 3519113. The fix replaces the loose comparison with strict type-safe validation of the OTP value. Site operators should apply the corresponding plugin release through the WordPress admin dashboard or via WP-CLI.
Workarounds
- Disable the email-OTP login feature in the plugin settings until the patch is applied.
- Add a WAF rule that rejects requests to the OTP login endpoint where the otp parameter is not a string of digits matching the expected OTP length.
- Restrict access to /wp-json/ and the plugin's REST routes to known IP ranges where feasible.
# Update the vulnerable plugin via WP-CLI
wp plugin update user-verification
# Or temporarily deactivate it until a patched release is installed
wp plugin deactivate user-verification
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
