Primary

Context

User Verification by PickPlugins Authentication Bypass Vulnerability via OTP Verification REST API Endpoint

Vulnerability

Patched

A vulnerability allowing authentication bypass has been identified in the User Verification by PickPlugins plugin for WordPress, affecting all versions through 2.0.46. The issue arises from the use of a loose PHP comparison operator for validating OTP codes in the 'user_verification_form_wrap_process_otpLogin' function. This flaw enables unauthenticated attackers to log in as any user with a verified email address, including administrators, by submitting a 'true' OTP value.

Impact

Exploitation of this vulnerability allows for unauthenticated authentication bypass, enabling attackers to log in as any user with a verified email address, such as an administrator.

Remediation

Users are advised to update the plugin to version 2.0.47 or a newer patched version.

Added: May 2, 2026, 5:21 AM

Updated: May 2, 2026, 5:21 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.3

exploitability

8.6

remediation

7.7

relevance

7.2

threat

3.2

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

1.3

exploitability

8.6

remediation

7.7

relevance

7.2

threat

3.2

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

User Verification by PickPlugins Authentication Bypass Vulnerability via OTP Verification REST API Endpoint

Vulnerability

Impact

Remediation

Affected Products

PickPlugins User Verification

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating