An authentication bypass in the User Verification by PickPlugins WordPress plugin allows unauthenticated attackers to log in as any verified user, including administrators.

The vulnerability stems from the use of a loose PHP comparison operator when validating OTP codes. This allows an attacker to bypass the verification process by providing a "true" value as the OTP.

This flaw carries a CVSS score of 9.8, indicating extreme risk. An attacker can gain administrative access to the WordPress site, resulting in complete site compromise and potential data breach.

Immediate Action: Update the User Verification by PickPlugins plugin to the latest version immediately.

Proactive Monitoring: Monitor authentication logs for suspicious successful logins and verify that all administrative logins are coming from trusted sources.

Compensating Controls: Temporarily disable the plugin if an update is not immediately available to mitigate the risk of unauthorized access.

Public Exploit Available: No

The vulnerability is trivial to exploit and provides high-level access. Administrators must patch this plugin immediately to prevent unauthorized administrative account takeover.