Exploit for CVE-2026-7458

Name: Exploit for CVE-2026-7458
Rating: 5 (10 reviews)
2026-06-11 | CVSS 9.8
## https://sploitus.com/exploit?id=19E0D94A-E2E8-5EDF-91D0-9D413694423C
🧨 CVE-2026-7458 – PickPlugins User Verification OTP Bypass

  Unauthenticated Authentication Bypass via Loose Comparison in OTP Verification REST API
  PickPlugins User Verification ≤ 2.0.46


---

## 📖 Description

The **User Verification** plugin by PickPlugins for WordPress (versions **≤ 2.0.46**) contains a critical vulnerability in its OTP login mechanism. Due to a **loose comparison (`==`)** in the verification logic, an unauthenticated attacker can bypass OTP authentication by sending a boolean `true` instead of a numeric OTP value. This grants full access to the target account without ever knowing the OTP.

> **CVSS Score:** 9.8 (Critical)  
> **CWE:** CWE-288 (Authentication Bypass Using an Alternate Path)  
> **Attack Vector:** Network | **Complexity:** Low | **Privileges:** None

---

## ⚡ Affected Versions

| Component                    | Vulnerable Versions       |
| :--------------------------- | :------------------------ |
| PickPlugins User Verification | ≤ 2.0.46                 |
| WordPress (any)              | Any (with plugin active)  |

---

## 🔬 Proof of Concept (PoC)

### 🚀 Usage

```bash
python exploit.py -u "http://target.com/otp-login/" -b "http://target.com" -e "admin@example.com"