CVE-2025-12374 CRITICAL

CVE-2025-12374: Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification <= 2.0.44 - Authentication Bypass to Account Takeover

Vendor Pickplugins
Product User Verification by PickPlugins
Weakness CWE-287 · Improper authentication
Published December 5, 2025
Last update April 8, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.44. This is due to the plugin not properly validating that an OTP was generated before comparing it to user input in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting an empty OTP value.

Explanation of Vulnerability in Simple Terms

02Summary

User Verification by PickPlugins versions 2.0.44 and earlier contain an authentication bypass vulnerability. An attacker can bypass login mechanisms without valid credentials, gaining unauthorized access to user accounts and sensitive data. The vulnerability requires no special privileges or user interaction and can be exploited remotely over the network.

What an attacker can do

03Attacker Capabilities

Bypass login authentication and gain unauthorized access to user accounts without valid credentials.

Potential impact on your site

04Site Impact

Attackers can access any user account, including admin accounts, compromising site security and user data.

Conditions required to exploit

05Prerequisites

Network access to the site; no authentication or user interaction required.

Key dates

06Disclosure timeline

December 5, 2025 CVE published
April 8, 2026 Record updated