PickPlugins Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification
0 remedies
cpe:2.3:a:pickplugins:user_verification:*:*:*:*:wordpress:*:*
0 remedies
- <= 2.0.39
Actively Exploited in the Wild
This vulnerability is being actively exploited in the wild.
WordPress User Verification Plugin Authentication Bypass Vulnerability Allowing Account Takeover
Vulnerability
Exploited
An authentication bypass vulnerability has been identified in the WordPress User Verification plugin, specifically in versions through 2.0.39. The issue arises because the plugin fails to properly validate that a one-time password (OTP) was generated before comparing it to user input in the OTP login processing function. This flaw enables unauthenticated attackers to log in as any user with a verified email address, including administrators, by submitting an empty OTP value.
Impact
Exploitation of this vulnerability allows for unauthorized login as any user with a verified email address, potentially leading to account takeover, especially if the targeted user is an administrator.
Reproduction
To reproduce this vulnerability, send a request to the 'user_verification_form_wrap_process_otpLogin' function with an empty OTP value. Ensure that the email address of the user being targeted is verified. The absence of a valid OTP will be overlooked, allowing access to the account.
Remediation
No known patch is available. It is recommended to review the vulnerability details and consider uninstalling the affected plugin.
Added: Dec 5, 2025, 7:18 AM
Updated: Dec 5, 2025, 7:18 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
5.0exploitability
10.0remediation
0.0relevance
1.2threat
8.0urgency
2.9incentive
10.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.