CVE-2026-7458: A WordPress Plugin Authenticates You As Anyone Who Submits 'true' For The OTP. PHP Loose Comparison Strikes Again. Second WP Plugin 9.8 In Five Days.

# CVE-2026-7458: A WordPress Plugin Authenticates You As Anyone Who Submits "true" For The OTP. PHP Loose Comparison Strikes Again. Second WP Plugin 9.8 In Five Days.

There is a WordPress plugin called User Verification by PickPlugins. As of May 2, 2026, every version through 2.0.46 contains an authentication bypass that lets an unauthenticated attacker log in as any user with a verified email address — including the administrator — by submitting the literal string true as their OTP code. CVSS 9.8.

The root cause is one character. The function user_verification_form_wrap_process_otpLogin validates the submitted OTP against the stored OTP using the PHP loose-equality operator == instead of the strict-equality operator ===. PHP's loose-equality compares values across types after type juggling. When the stored OTP is a string and the submitted OTP is the boolean true, PHP type-juggles both to the same truthy value and returns "equal." Every account with a verified email becomes claimable by anyone who can type seven letters.

This is the second WordPress plugin 9.8-class vulnerability we have written about in five days. Our May 8 post covered CVE-2026-3844 — the Cloudways Breeze Cache plugin shipping unauthenticated RCE to four hundred thousand WordPress sites via a missing file-type check on a Gravatar-fetch path. Wordfence logged 170 active exploits against Breeze Cache before the patch landed. Today's PickPlugins disclosure rhymes with that one closely enough that the pattern is worth naming.

The receipts we already have

Our exploit-harvester cron picked up the PoC repository when GitHub user zycoder0day published it. The IOC is in our iocs index under value zycoder0day/CVE-2026-7458, source-tagged exploit-harvester. Same harvester pulled the PoCs for CVE-2026-3844 (Breeze Cache), CVE-2026-31431 (Copy Fail Linux LPE), CVE-2026-36980 (Linux kernel BSOD), and CVE-2026-5865 (Chrome V8) in the last six weeks. The PoC layer is the leading indicator; once a PoC is published, mass scanning starts within hours.

If you subscribe to our STIX feed at analytics.dugganusa.com/api/v1/stix-feed, the PickPlugins PoC URL is already in your blocklist as of the next pull cycle.

What "verified email address" means in this plugin's context

User Verification by PickPlugins is, true to the name, a plugin used by WordPress site operators who want to gate registration behind email verification. The verified-email-account population includes any user who registered and clicked the confirmation link. That is the population of accounts an attacker can claim.

The administrator population is the consequential one. If the site administrator's email is verified — which it almost certainly is, by virtue of the administrator setting up the site — then the administrator account is claimable by anyone who can reach the OTP endpoint over the network. WordPress administrators have file-upload privileges; once an attacker logs in as an administrator, the standard takeover chain (upload a malicious theme or plugin, get arbitrary code execution, drop a webshell, persist) takes minutes.

Hunt-tonight

The version that contains the fix is anything newer than 2.0.46. Confirm the plugin's installed version by looking at your wp-content/plugins/user-verification/ directory or by running wp plugin list against the WP-CLI if you have command-line access. If you cannot update immediately, disable the plugin or disable the OTP login feature; both are safer than leaving the loose-comparison codepath reachable.

For incident-response on a site that may have already been hit: pull your WordPress access logs and search for POST requests to URIs containing user_verification_form_wrap_process_otpLogin or query strings containing otp between May 2 and now. Cross-reference any source IP that appears in those logs against your STIX feed. Source IPs known to scan WordPress for PoCs published in the last quarter are in our iocs index.

Look at administrator account login times for the same window. Any administrator login that did not match the actual administrator's known activity pattern is the indicator. WordPress logs by default only retain a short history, so if the breach was earlier in May the logs may already be gone — pull the audit trail from any WAF or reverse proxy that fronts the WordPress install.

The pattern across the two posts

Five days, two plugins, both CVSS 9.8, both unauthenticated, both shipping to large installed bases through a software-supply-chain layer the site operator does not actively review.

The Cloudways Breeze Cache post on May 8 covered four hundred thousand sites with a missing file-type validation. Today's PickPlugins post covers a smaller installed base with a one-character PHP type-juggling bug.

The shape is the same. WordPress plugin developers, operating across thousands of independently maintained code bases, are shipping critical authentication and file-handling logic that fails basic safety checks. PHP loose comparison has been called out as a footgun for two decades. File-type validation on remote-fetch paths has been a hardening recommendation for nearly as long. The bugs keep landing because the plugin ecosystem optimizes for shipping speed, not for security review.

The defensive answer for site operators is uncomfortable: every plugin you install is a third-party software-supply-chain dependency you do not have the resources to audit. The mitigations available to you are pinning to the smallest reasonable plugin surface, running a WAF in front of WordPress to catch the high-confidence attack signatures, and watching for the moment a PoC drops on GitHub.

The mitigations available to us as threat-intel publishers are different. We watch GitHub for PoC repositories as a leading indicator. We watch Wordfence and similar sources for confirmed exploitation. We surface the receipts on a feed that any WordPress operator can pull for free. The exploit-harvester cron that caught zycoder0day's PickPlugins PoC ran at 08:15 UTC this morning and the IOC was indexed within minutes.

The ledger note

This is not a new ledger entry — we are not claiming lead time on the PickPlugins disclosure. The disclosure was May 2, our exploit-harvester picked up the PoC after publication, and the value of this post is curation and context, not novelty. The ledger entries are the lead-time ones — Mini Shai-Hulud (12 days early), LiteLLM (45 days early), Canvas (4 days early). This post is the WordPress-plugin-supply-chain frame extending across two consecutive May posts, with another post likely to follow this month given the cadence the disclosure pipeline is running at.

Two plugins, one frame, one feed.

— Patrick Duggan, May 12, 2026

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.