The User Verification by PickPlugins plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.46. This is due to the use of a loose PHP comparison operator to validate OTP codes in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting a "true" OTP value.
The 'user_verification_form_wrap_process_otpLogin' function uses a loose PHP comparison operator (==) instead of a strict one (===) to validate the one-time password (OTP) code. PHP's loose comparison mechanism causes the text value 'true' to be considered equal to any non-zero OTP code. An unauthenticated attacker can submit the value 'true' as an OTP code, allowing them to bypass the verification mechanism and log in as any user with a verified email address.
An attacker can gain full access to any user account, including WordPress administrator accounts, which may lead to takeover of the entire website, data disclosure, installation of malicious software, or complete destruction of website content.
The User Verification plugin by PickPlugins should be updated to a version higher than 2.0.46. The fix is available in changeset 3519113 in the WordPress repository. An immediate update is recommended through the WordPress admin panel or by manually applying the patch from the source indicated in the references.
User Verification by PickPlugins plugin for WordPress—all versions up to and including 2.0.46.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H