CVE-2026-7458
Published: 02 May 2026
Summary
CVE-2026-7458 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-7458 is an authentication bypass vulnerability affecting the User Verification by PickPlugins plugin for WordPress in all versions up to and including 2.0.46. The issue stems from the use of a loose PHP comparison operator (==) when validating one-time password (OTP) codes in the "user_verification_form_wrap_process_otpLogin" function, which incorrectly treats the string "true" as a valid OTP. This flaw is classified under CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity due to its network accessibility and lack of prerequisites.
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity. By submitting "true" as the OTP value during the login process, they can bypass verification and gain access to any WordPress user account that has a verified email address, including administrative accounts. Successful exploitation grants full attacker control over the compromised account, potentially leading to site takeover, data exfiltration, or further lateral movement within the environment.
Advisories and references, including those from Wordfence Intelligence, highlight the vulnerability through code inspection in the plugin's REST functions and email OTP login templates. Mitigation involves updating to a patched version, as evidenced by WordPress plugin changeset 3519113, which addresses the loose comparison in the affected functions. Security practitioners should immediately scan for and deactivate vulnerable plugin versions pending upgrades.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-26737
Vulnerability details
The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.46. This is due to the use of a loose PHP comparison operator to validate OTP codes in the "user_verification_form_wrap_process_otpLogin"…
more
function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting a "true" OTP value.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing WordPress plugin directly enables remote exploitation of public-facing applications for initial access to accounts.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly addresses the loose PHP comparison vulnerability by requiring strict validation of OTP inputs to prevent acceptance of invalid values like 'true'.
Ensures proper management and verification of OTP authenticators, mitigating bypasses due to improper validation logic in the plugin's login function.
Mandates timely flaw remediation through patching the specific OTP validation issue in the vulnerable WordPress plugin versions.