PHP type juggling lets anyone log in as any WordPress user
TL;DR - User Verification by PickPlugins <= 2.0.46: the OTP login handler uses a loose PHP comparison, so submitting true as the OTP value matches any stored code. Unauthenticated attacker, any verified account, including admins. CVSS 9.8.
What happened
User Verification by PickPlugins is a WordPress plugin that adds email OTP login flows to WordPress sites.
CVE-2026-7458 is an authentication bypass in the plugin's OTP validation logic. The function user_verification_form_wrap_process_otpLogin() validates OTP codes using a loose PHP comparison operator. Because of how PHP type juggling works, submitting the boolean value true as the OTP satisfies the check against any stored code. An unauthenticated attacker can log in as any user whose email address is verified - including site administrators.
| Item | Detail |
|---|---|
| Affected component | WordPress plugin User Verification by PickPlugins |
| Affected versions | <= 2.0.46 |
| Severity | CVSS 3.1 9.8 (Critical) |
| CVSS vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
This is the recurring high-impact failure mode for OTP and passwordless login features. One loose comparison operator in a verification endpoint turns a convenience feature into a full account takeover. It's the kind of bug that's easy to miss in code review precisely because the logic looks like it's doing something.
Who is impacted
- WordPress sites running
User Verification by PickPluginsat versions<= 2.0.46. - Sites where the plugin's OTP login flow is enabled and exposed to the internet.
- Highest risk: any deployment where administrative accounts have verified email addresses - the CVE explicitly identifies admin login as a reachable outcome.
What to do now
- Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
- Inventory WordPress sites for the
user-verificationplugin and confirm installed versions. - Treat this as potential account compromise exposure:
- review WordPress and web server logs for OTP login requests containing boolean-like values (for example
true) in the OTP field - review for suspicious administrator logins and any newly created or modified privileged accounts
- if you find evidence of exploitation, invalidate all active sessions and rotate any credentials accessible to the compromised accounts
- review WordPress and web server logs for OTP login requests containing boolean-like values (for example
Related
Guides
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.