User Verification by PickPlugins <= 2.0.46 - Unauthenticated Authentication Bypass via OTP Verification REST API Endpoint
Details
CVSS v3
9.8
EPSS
<0.1% probability · 22.9th percentile — 2026-05-12
Affected versions
User Verification by PickPlugins plugin for WordPress, all versions <= 2.0.46
Summary
This vulnerability comes from the use of loose PHP comparison operators to validate OTP codes on the plugin's OTP login REST endpoint. Unauthenticated attackers can bypass validation by submitting a 'true' OTP value. This allows attackers to log in as any user with a verified email, including full administrator access to the WordPress site.
Remediation
Update the User Verification by PickPlugins plugin to a version newer than 2.0.46 as soon as possible. Disable the plugin if no patched version is available. Enforce additional multi-factor authentication for all administrative accounts to reduce risk.
TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.