CVE-2026-7458 - WordPress User Verification OTP auth bypass

The WordPress User Verification by PickPlugins plugin versions <=2.0.46 contain a critical unauthenticated authentication bypass in the OTP login flow. The vulnerable code uses a loose PHP comparison while validating OTP codes in user_verification_form_wrap_process_otpLogin, allowing an attacker to satisfy the OTP check with a crafted truthy value.

If the plugin is active and OTP login is exposed, an unauthenticated attacker may be able to authenticate as any user with a verified email address, including an administrator. The WordPress plugin directory changelog identifies version 2.0.47 as the release that fixed the unauthenticated OTP authentication bypass.

When to use it

Use this recipe when a repository owns a WordPress site, image, Bedrock or Composer project, plugin bundle, deployment manifest, or runbook that installs User Verification by PickPlugins. It is most important when OTP login, email OTP, passwordless login, or verification forms are public or reachable by unauthenticated users.

Use it to upgrade or disable the vulnerable authentication path and document operator cleanup. Do not use it to create, delete, demote, or reset WordPress accounts automatically.

Inputs

  • WordPress project files, wp-content/plugins/user-verification, Composer/Bedrock/WPackagist references, WP-CLI install scripts, Dockerfiles, build artifacts, Helm/Terraform/Ansible manifests, SBOMs, image manifests, plugin lock/state files, and operator docs.
  • Resolved User Verification plugin versions for every deployable target and the real plugin delivery channel.
  • OTP/passwordless exposure evidence: shortcodes, templates, REST/AJAX handlers, routing rules, plugin settings, login forms, and user_verification_form_wrap_process_otpLogin.
  • Operator ownership for session invalidation, privileged-user review, administrator activity review, role-change review, and auth/web log review.
  • Safe non-production validation fixtures that prove crafted truthy OTP input cannot authenticate without exposing real OTPs, cookies, sessions, nonces, or user email data.

Affected versions

  • Vulnerable: User Verification by PickPlugins WordPress plugin <=2.0.46
  • Fixed: User Verification by PickPlugins WordPress plugin >=2.0.47
  • Preferred: Update to the latest available plugin release through the normal WordPress.org, Composer/WPackagist, WP-CLI, or artifact channel.

Indicator-of-exposure

  • The repository owns a WordPress site, image, Bedrock/Composer project, plugin bundle, deployment manifest, or runbook that installs user-verification.
  • A deployable WordPress target resolves User Verification by PickPlugins 2.0.46 or older.
  • OTP login, email OTP, passwordless login, or verification forms are exposed to unauthenticated users.
  • Logs, templates, or plugin code reference user_verification_form_wrap_process_otpLogin or the OTP login shortcode.

Quick checks:

wp plugin list --fields=name,version,status | grep -E '^user-verification[[:space:]]'
wp plugin status user-verification
rg -n "user-verification|wpackagist-plugin/user-verification|user_verification_form_wrap_process_otpLogin|otp_login|otpLogin|user_verification_otp_login_form" .
find . -path "*/wp-content/plugins/user-verification/*" -maxdepth 8 -type f | head

Remediation strategy

  • Upgrade User Verification by PickPlugins to 2.0.47+, preferably the latest release available through the repository’s normal plugin delivery channel.
  • If the plugin is not required, remove or deactivate it rather than carrying a public authentication-extension plugin.
  • If immediate upgrade is blocked, disable the OTP login feature and block the affected unauthenticated OTP flow at the edge or in WordPress routing until a patched release is deployed.
  • Expire WordPress sessions for administrator and privileged users after deployment, and require password resets or MFA re-enrollment where site policy calls for it.
  • Review WordPress users, role changes, login history, and web access logs for unexpected OTP login requests, user-verification endpoint hits, suspicious truthy OTP values, or administrator activity during the exposure window.

The prompt

You are remediating CVE-2026-7458 (WordPress User Verification by PickPlugins
OTP authentication bypass). Produce exactly one output:

- A reviewer-ready PR/change request that upgrades or disables the vulnerable
  plugin path and documents required operator cleanup, or
- TRIAGE.md if this repository does not own the WordPress plugin deployment or
  cannot make a safe patch.

## Rules

- Scope only CVE-2026-7458.
- Treat OTP codes, passwordless login links, cookies, session identifiers,
  WordPress nonces, and user email data as secrets. Do not print them in logs,
  tests, screenshots, or PR text.
- Do not silently create, delete, demote, relink, or reset WordPress user
  accounts.
- Do not hand-edit vendored plugin code unless no package/channel upgrade is
  available and the patch is explicitly documented as temporary containment.
- Do not preserve public OTP login behavior by weakening validation elsewhere.
- Do not auto-merge.

## Steps

1. Inventory WordPress ownership in this repository:
   - `wp-content/plugins/user-verification`;
   - Composer or Bedrock references such as
     `wpackagist-plugin/user-verification`;
   - WP-CLI install scripts, Dockerfiles, build artifacts, Helm charts,
     Terraform, Ansible, or deployment runbooks;
   - SBOMs, image manifests, plugin lock/state files, and WordPress operator
     documentation.
2. If the repository does not deploy or package a WordPress site with User
   Verification by PickPlugins, stop with `TRIAGE.md` explaining what was
   checked and who owns the runtime remediation.
3. Determine the resolved User Verification plugin version for every
   deployable target. A target is vulnerable if it resolves to `<=2.0.46`.
4. Determine whether OTP login, email OTP, passwordless login, or verification
   forms are exposed to unauthenticated users. Search for shortcodes,
   templates, REST/AJAX handlers, routing rules, and plugin settings tied to
   `user_verification_form_wrap_process_otpLogin`.
5. For every vulnerable target, upgrade the plugin to `>=2.0.47`, preferably
   the latest WordPress.org release available through the repo's normal
   dependency channel. Regenerate Composer locks, plugin manifests, image
   metadata, SBOMs, or deployment render output as appropriate.
6. If the plugin is optional or only used for convenience authentication,
   prefer removal or deactivation. Update runbooks to use a controlled
   support or account-verification workflow.
7. If a fixed plugin release cannot be deployed immediately, add the safest
   temporary containment controlled by this repo: disable OTP login, disable
   the plugin, remove public OTP shortcodes, restrict the affected endpoint at
   the edge, or add an emergency runbook instructing operators to disable the
   feature until patch deployment.
8. Add or update verification that crafted truthy OTP input cannot authenticate
   a user in a non-production environment. Do not include real OTP codes,
   cookies, sessions, or user email addresses.
9. Add a PR body section named `CVE-2026-7458 operator actions` that requires:
   - confirmation production runs User Verification `>=2.0.47` or the plugin
     is disabled/removed;
   - session invalidation for privileged WordPress users;
   - review of administrator users, role changes, and unexpected account
     activity;
   - review of web/auth logs for User Verification OTP login requests and
     suspicious truthy OTP values;
   - confirmation that public OTP/passwordless login forms are intentionally
     enabled only after patch deployment.
10. Run the relevant validation: Composer install/update checks, WordPress
    plugin inventory, image build, deployment rendering, PHP tests,
    authentication smoke tests, and security scans available in this
    repository.
11. Use PR title:
    `fix(sec): remediate CVE-2026-7458 in User Verification`.

## Stop conditions

- No WordPress site or User Verification plugin deployment is controlled by
  this repository.
- The plugin version is managed exclusively in production outside the repo.
- A fixed plugin release cannot be consumed without a broader WordPress
  platform migration.
- The only apparent fix would automatically modify WordPress user accounts or
  expose OTP/session material.
- Validation fails for unrelated pre-existing reasons; document the failure
  instead of broadening scope.

Verification - what the reviewer looks for

  • No deployable target still resolves User Verification by PickPlugins <=2.0.46.
  • The PR updates the real plugin delivery path, such as Composer lockfiles, WP-CLI install scripts, plugin artifact bundles, images, or deployment manifests.
  • Temporary disablement is present if a patched release cannot be deployed immediately.
  • Session invalidation, privileged-account review, and log review are explicit operator actions.
  • Verification proves crafted truthy OTP input cannot authenticate and does not expose real OTP codes or sessions.
  • Build, dependency, image, and deployment checks pass or unrelated failures are documented.

Watch for

  • WordPress repositories that vendor plugins under wp-content/plugins while also installing plugins through Composer, WPackagist, WP-CLI, or image build steps.
  • Production plugin drift where the repository pins a safe version but runtime WordPress auto-updates or manual plugin management tell a different story.
  • Fixes that only remove one shortcode while another OTP/passwordless login route remains public.
  • Treating account cleanup as a code-only problem; session invalidation and privileged-user review must stay operator-controlled.

Output contract

Return one of:

  • A reviewer-ready PR/change request that upgrades User Verification to 2.0.47+ or disables/removes the plugin, blocks public OTP/passwordless login until patched, refreshes plugin delivery artifacts, adds safe verification, and documents operator session/account/log review.
  • TRIAGE.md when no controlled WordPress deployment, plugin delivery path, image, form configuration, or runbook exists.

The output must list plugin versions, public OTP exposure, fixed-version or disablement decision, delivery artifacts refreshed, validation commands, and operator actions for privileged session invalidation, admin/account review, role-change review, and suspicious OTP log review. It must not print OTPs, cookies, sessions, nonces, user emails, or automatically modify WordPress user accounts.

References