Impact statement: CVE-2026-7458 is a critical vulnerability in the User Verification by PickPlugins plugin for WordPress. Wordfence and NVD rate it 9.8 critical. On vulnerable sites, public one-time-login or verification workflows may allow unauthorized account access when the plugin is exposed to visitors. If an administrator account can be reached through the affected workflow, the site impact can become full site compromise.
This matters for membership sites, customer portals, communities, WooCommerce customer areas, support portals, learning sites, and any WordPress install that uses verification or passwordless-style login features. Patch first, then review recent logins and administrator users.
Who Is Affected
Check WordPress sites running User Verification by PickPlugins. The highest-risk sites are those that expose public account registration, user verification, one-time-login, email verification, or account recovery workflows.
- Affected: User Verification by PickPlugins versions 2.0.46 and older.
- Fixed: User Verification by PickPlugins 2.0.47 or newer.
- Higher-risk use cases: membership sites, customer portals, ecommerce accounts, learning sites, community accounts, and support portals.
- Risk increases when administrator or staff accounts use the same public-facing verification workflow as customers.
Patch First
Update User Verification by PickPlugins to 2.0.47 or newer. Back up the site first, apply the update, clear caches, then test login and verification flows with a normal test account.
wp plugin list --fields=name,status,version,update --format=table
wp plugin get user-verification --fields=name,version,status,update_version --format=table
wp plugin update user-verification
wp cache flush
If WP-CLI is not available, update through Dashboard > Plugins. After the update, clear page cache, object cache, security-plugin cache, and CDN cache so login and account pages use current plugin assets.
Immediate Mitigation If You Cannot Patch Yet
If a compatibility issue blocks the update, reduce exposure until the fixed version is installed.
- Temporarily disable one-time-login or passwordless-style login features.
- Require normal password login and multi-factor authentication for staff accounts.
- Disable public registration when the site does not need it.
- Restrict account recovery and verification pages to trusted networks when practical.
- Put login and account pages behind managed WordPress firewall rules.
- Remove inactive users and test accounts that no longer need access.
Safe Verification
Verification should stay defensive: confirm the fixed version, check whether public registration is enabled, and review users and recent activity. Do not run public testing tools against production sites.
wp plugin get user-verification --fields=name,version,status,update_version --format=table
wp option get users_can_register
wp user list --fields=ID,user_login,user_email,roles,registered --format=table
After patching, confirm the plugin shows 2.0.47 or newer. Then review administrator users, recent registrations, recent password or email changes, and unusual account activity around the vulnerable window.
What To Review After Updating
For sites that used public verification or one-time-login features before patching, treat this as an account-access review.
- Administrator accounts that were not created or used by staff.
- Recent user registrations, email-address changes, password resets, and role changes.
- Security plugin alerts for unusual logins, account changes, or blocked login activity.
- Web server logs, PHP error logs, and WordPress activity logs around login and account pages.
- Recent plugin installs, theme changes, administrator email changes, and unknown scheduled jobs.
- Customer support tickets mentioning unexpected account access, changed emails, or login notices.
Hosting Provider Notes
For hosting teams and agencies, prioritize sites with public registration, customer portals, ecommerce accounts, membership access, or passwordless-style login enabled. Patch the plugin, clear caches, review administrators, and ask the site owner whether staff accounts were allowed to use public verification links.
Customer messaging can stay clear: the site used a vulnerable WordPress user verification plugin, the plugin was updated to a fixed version, public login and verification settings were reviewed, and administrator users plus recent account activity were checked.
Hardening Checklist
- Keep WordPress core, plugins, themes, and paid add-ons current.
- Require multi-factor authentication for administrators, editors, store managers, and support staff.
- Keep administrator login separate from public customer login workflows where possible.
- Disable public registration unless the site needs it.
- Use least-privilege roles for customers, members, contributors, vendors, and support users.
- Monitor administrator creation, password resets, email changes, and plugin activation events.
- Keep clean database and file backups, then test restores before an emergency.
Fix I.T. Phill Guidance
Patch User Verification by PickPlugins to 2.0.47 or newer, then review whether public verification or one-time-login should remain enabled. If staff accounts can use the same public flow as visitors, tighten that immediately. The defensive work is direct: update the plugin, clear caches, require stronger staff login controls, review users, and document any suspicious account activity for the site owner.