Part of Lyceum Intelligence — deep-research In Focus reports → · Lyceum Corpus — ask the documents →

Full-text search across 381 articles. Typo-tolerant.

Lyceum News Desk ·

CVE-2026-7458 -- CVSS 9.8 Vulnerability Briefing

CVE-2026-7458 | CVSS 9.8 (Critical) | Exploit: PoC available

What Is It

CVE-2026-7458 is a critical authentication bypass vulnerability in the User Verification plugin by PickPlugins for WordPress, affecting all versions up to and including 2.0.46, which allows unauthenticated attackers to log in as any user with a verified email address.

Technical Detail

The flaw exists in the user_verification_form_wrap_process_otpLogin function, which uses a loose PHP comparison operator (==) rather than a strict comparison (===) when validating one-time password (OTP) codes. Because PHP's loose comparison evaluates the string "true" as equal to any non-zero integer or truthy value, an unauthenticated attacker can submit the literal string "true" as the OTP value and bypass the authentication check entirely. Successful exploitation grants full account access as the targeted user, including administrator-level access if an admin account with a verified email is targeted, resulting in complete site compromise.

Exploitation Status

A proof-of-concept exploit is publicly available. This vulnerability has not been added to the CISA Known Exploited Vulnerabilities catalog as of May 2, 2026, and active in-the-wild exploitation has not been confirmed. However, the low complexity of exploitation combined with public PoC availability significantly elevates the risk of opportunistic attacks in the near term.

Who Is Targeting This

No specific threat actor attribution at this time. Given the trivial exploitation path and the large install base typical of popular WordPress plugins, opportunistic attackers and automated scanning tools are the most likely initial threat vectors.

What To Do

Update the User Verification by PickPlugins plugin to a version beyond 2.0.46 immediately. Administrators should treat this as a high-priority patch given the critical CVSS score of 9.8 and the availability of public PoC code. If an immediate update is not possible, consider disabling the plugin until patching can be completed, as no effective workaround exists that preserves plugin functionality. Detection efforts should focus on reviewing authentication logs for anomalous login events, particularly successful logins to administrator accounts that did not originate from expected IP ranges or that occurred without prior password submission. Review recently created or modified administrator accounts for signs of unauthorized access.

In Focus
All analysis →

Deep-research intelligence reports from Lyceum Intelligence — structured assessments with sourced claims and calibrated conclusions.

Browse Intelligence Reports →