CVE-2026-7458 - WordPress User Verification OTP auth bypass

wp plugin list --fields=name,version,status | grep -E '^user-verification[[:space:]]'
wp plugin status user-verification
rg -n "user-verification|wpackagist-plugin/user-verification|user_verification_form_wrap_process_otpLogin|otp_login|otpLogin|user_verification_otp_login_form" .
find . -path "*/wp-content/plugins/user-verification/*" -maxdepth 8 -type f | head

Model context: this prompt was generated by GPT 5.5 Extra High reasoning.

You are remediating CVE-2026-7458 (WordPress User Verification by PickPlugins
OTP authentication bypass). Produce exactly one output:

- A reviewer-ready PR/change request that upgrades or disables the vulnerable
  plugin path and documents required operator cleanup, or
- TRIAGE.md if this repository does not own the WordPress plugin deployment or
  cannot make a safe patch.

## Rules

- Scope only CVE-2026-7458.
- Treat OTP codes, passwordless login links, cookies, session identifiers,
  WordPress nonces, and user email data as secrets. Do not print them in logs,
  tests, screenshots, or PR text.
- Do not silently create, delete, demote, relink, or reset WordPress user
  accounts.
- Do not hand-edit vendored plugin code unless no package/channel upgrade is
  available and the patch is explicitly documented as temporary containment.
- Do not preserve public OTP login behavior by weakening validation elsewhere.
- Do not auto-merge.

## Steps

1. Inventory WordPress ownership in this repository:
   - `wp-content/plugins/user-verification`;
   - Composer or Bedrock references such as
     `wpackagist-plugin/user-verification`;
   - WP-CLI install scripts, Dockerfiles, build artifacts, Helm charts,
     Terraform, Ansible, or deployment runbooks;
   - SBOMs, image manifests, plugin lock/state files, and WordPress operator
     documentation.
2. If the repository does not deploy or package a WordPress site with User
   Verification by PickPlugins, stop with `TRIAGE.md` explaining what was
   checked and who owns the runtime remediation.
3. Determine the resolved User Verification plugin version for every
   deployable target. A target is vulnerable if it resolves to `<=2.0.46`.
4. Determine whether OTP login, email OTP, passwordless login, or verification
   forms are exposed to unauthenticated users. Search for shortcodes,
   templates, REST/AJAX handlers, routing rules, and plugin settings tied to
   `user_verification_form_wrap_process_otpLogin`.
5. For every vulnerable target, upgrade the plugin to `>=2.0.47`, preferably
   the latest WordPress.org release available through the repo's normal
   dependency channel. Regenerate Composer locks, plugin manifests, image
   metadata, SBOMs, or deployment render output as appropriate.
6. If the plugin is optional or only used for convenience authentication,
   prefer removal or deactivation. Update runbooks to use a controlled
   support or account-verification workflow.
7. If a fixed plugin release cannot be deployed immediately, add the safest
   temporary containment controlled by this repo: disable OTP login, disable
   the plugin, remove public OTP shortcodes, restrict the affected endpoint at
   the edge, or add an emergency runbook instructing operators to disable the
   feature until patch deployment.
8. Add or update verification that crafted truthy OTP input cannot authenticate
   a user in a non-production environment. Do not include real OTP codes,
   cookies, sessions, or user email addresses.
9. Add a PR body section named `CVE-2026-7458 operator actions` that requires:
   - confirmation production runs User Verification `>=2.0.47` or the plugin
     is disabled/removed;
   - session invalidation for privileged WordPress users;
   - review of administrator users, role changes, and unexpected account
     activity;
   - review of web/auth logs for User Verification OTP login requests and
     suspicious truthy OTP values;
   - confirmation that public OTP/passwordless login forms are intentionally
     enabled only after patch deployment.
10. Run the relevant validation: Composer install/update checks, WordPress
    plugin inventory, image build, deployment rendering, PHP tests,
    authentication smoke tests, and security scans available in this
    repository.
11. Use PR title:
    `fix(sec): remediate CVE-2026-7458 in User Verification`.

## Stop conditions

- No WordPress site or User Verification plugin deployment is controlled by
  this repository.
- The plugin version is managed exclusively in production outside the repo.
- A fixed plugin release cannot be consumed without a broader WordPress
  platform migration.
- The only apparent fix would automatically modify WordPress user accounts or
  expose OTP/session material.
- Validation fails for unrelated pre-existing reasons; document the failure
  instead of broadening scope.