External risk intelligence

WordPress plugin lets anyone log in as an administrator

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-7458

A WordPress plugin vulnerability allows anyone to log in as an administrator without a password, potentially exposing sensitive data and enabling complete site takeover.

4Halo Surface Signal

Authentication Bypass

External exposure likelihood

Halo Surface Signal score for CVE-2026-7458

The vulnerability affects a WordPress authentication plugin. WordPress sites are typically deployed as internet-facing web applications. Because the plugin manages user login and authentication processes, these endpoints are exposed to the internet whenever the website is accessible to the public.

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in the User Verification by PickPlugins plugin allows unauthenticated attackers to bypass login protections. By submitting a specific value, an attacker can gain access to any user account, including administrator roles, on affected WordPress sites.

Attackers can access any user account.
This affects WordPress sites using the plugin.
Unauthorized access can lead to data compromise.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can bypass the One-Time Password (OTP) authentication in the User Verification by PickPlugins WordPress plugin. By submitting a specific value in place of a valid OTP, the attacker can log in as any user, including administrators, assuming that user has a verified email address. This bypass leverages a weak comparison in the OTP validation logic to gain unauthorized access.

No prior authentication needed.
Target: WordPress plugin's login function.
User must have verified email.

Live Threat

Current exploitation, exposure, and threat context

This authentication bypass vulnerability in a WordPress plugin is highly likely to be weaponized by attackers. The ease of exploitation, combined with the direct pathway to administrative access on a widely used platform, makes it an attractive target for widespread compromise. Its network-attackable nature and lack of privileges required for exploitation further increase its appeal.

No public exploit details observed.
Affects WordPress authentication process.
No KEV listing signal.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize isolating or taking offline affected WordPress sites using the User Verification by PickPlugins plugin, as an unauthenticated attacker can bypass authentication and gain administrator access. Given the critical severity and lack of specific patch information in the provided context, immediate containment is crucial.

Isolate affected WordPress instances.
Monitor for unauthorized login attempts.
Investigate plugin code for bypass logic.

Frequently asked questions

What is the User Verification by PickPlugins WordPress plugin?

The User Verification by PickPlugins is a plugin for WordPress websites that helps manage user authentication. It is used to enhance security by implementing an additional layer of verification, such as One-Time Passwords (OTP), to ensure only legitimate users can log in.

What kind of weakness does CVE-2026-7458 represent?

CVE-2026-7458 is an authentication bypass vulnerability. This means an attacker can circumvent the normal login process, bypassing security checks like OTP, to gain unauthorized access to user accounts.

How could an attacker exploit this WordPress plugin vulnerability?

An attacker could exploit this by sending a specific value, "true", as the OTP to the login form. This bypasses the plugin's validation of the OTP code, allowing the attacker to log in as any user, provided that user has a verified email address.

Who should be concerned about CVE-2026-7458?

Organizations and individuals running WordPress sites that use the User Verification by PickPlugins plugin should be concerned. The Halo Surface Signal indicates this is an internet-facing vulnerability, meaning attackers can potentially exploit it from anywhere on the internet.

What is the first step to address this vulnerability?

The immediate first step is to isolate or take offline any WordPress sites using the User Verification by PickPlugins plugin. This prevents unauthenticated attackers from exploiting the bypass and gaining administrative access while further remediation steps are investigated.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.