A plugin called User Verification by PickPlugins adds a one-time password step to your WordPress login. The idea is good — a second check before anyone gets in.
The implementation has a bug that cancels the whole thing.
An attacker types “true” as their OTP code. PHP accepts it. They are logged in as any user with a verified email on your site — including administrators. No password. No brute force. No credentials at all.
This is CVE-2026-7458, published to the National Vulnerability Database on May 2, 2026. CVSS score: 9.8.
What Actually Broke — and Why
The flaw is one character of PHP code.
The OTP validation function uses the loose comparison operator (==) instead of the strict one (===). In PHP, loose comparison does not check value type. So when an attacker submits the string “true”, PHP converts it to the boolean true, compares it to the expected result, gets a match, and passes the check.
The OTP step runs. It just doesn’t protect anything.
This bug class — broken authentication logic from type-unsafe comparison — is documented in OWASP’s Broken Authentication category. It appears in NCSC secure development guidance. It keeps appearing in WordPress plugins because the ecosystem has no mandatory security audit before a plugin ships and gains thousands of installs.
Affected versions: User Verification by PickPlugins ≤ 2.0.46. Update immediately.
The Same Day: CVSS 9.8 via File Upload
Published alongside CVE-2026-7458 on May 2, 2026:
CVE-2026-4882 affects User Registration Advanced Fields (versions ≤ 1.6.20). The plugin’s upload handler — used for profile pictures on registration forms — contains no file type validation. An unauthenticated attacker uploads a PHP script. The server runs it. Full remote code execution, no login required.
Two CVSS 9.8 vulnerabilities. Both require zero credentials. Both in plugins with hundreds of thousands of installs.
Affected versions: User Registration Advanced Fields ≤ 1.6.20. Update immediately.
The Pattern Behind This Week
These two CVEs are not outliers.
According to the Patchstack State of WordPress Security 2026 report, 11,334 new vulnerabilities were found across the WordPress ecosystem in 2025 — a 42% increase year-on-year. Of those, 91% were in plugins, not WordPress core. And 46% had no available fix at the time of public disclosure.
Nearly half of all publicly disclosed WordPress plugin flaws go live with no patch to apply.
The OTP bypass and the file upload flaw both fall into well-known OWASP categories. Both appear in security training. Both appeared in production plugins in 2026.
What Most Site Owners Get Wrong
The mistake is common: a plugin promises “secure OTP login,” you install it, and you assume the protection is real. The feature looks correct. A second step runs. The login page shows a code field.
But if the comparison logic is broken, the step is theatre.
The same gap applies to file uploads. Most admins assume WordPress’s media library restrictions cover every plugin that handles file input. They don’t. Every plugin with its own upload handler is its own implementation — and its own potential gap.
How to Reduce This Risk Now
Check today
Go to Plugins → Installed Plugins
Search for User Verification by PickPlugins — if version ≤ 2.0.46, update now
Search for User Registration Advanced Fields — if version ≤ 1.6.20, update now
Go to Users → All Users → Role: Administrator — remove any account that should not be there
Where SwissWPSuite fits
blockphpuploads (Essential tier — free) writes a server-level .htaccess rule to wp-content/uploads that blocks execution of .php, .phtml, and .phar files. If an attacker uses CVE-2026-4882 to upload a malicious file, the server denies execution before WordPress is even involved. This is not plugin-level filtering — it runs independently of WordPress and its entire plugin stack.
Sentinel scanner (Layer 5, M4-D2 — requires WPScan API key) checks every installed plugin version against the WPScan CVE database. For both CVEs disclosed this week, the scanner flags vulnerable versions automatically, so you know where you stand without manually tracking every advisory.
Login lockout (free, always active) limits failed login attempts to 3 per IP per 15-minute window. It does not patch the OTP comparison bug in CVE-2026-7458 — that requires updating the plugin — but it closes the door on parallel credential-stuffing attacks that often accompany account takeover campaigns.
2FA TOTP (Pro) adds a properly implemented RFC 6238 second factor to WordPress admin login — verified against an external authenticator app, not a plugin-managed comparison check. No loose operators. No type coercion.
One important note: these controls reduce exposure and contain damage. They do not replace patching. If the affected plugins are installed and unpatched, update them first.
CTA
Two critical fixes, both under two minutes:
Update User Verification by PickPlugins and User Registration Advanced Fields today.
Then run SwissWPSuite’s Sentinel scanner to check the rest of your plugin inventory, and enable blockphpuploads to add server-level PHP blocking to your uploads directory — so plugin-level validation gaps stop being server-level problems.