CVE-2026-32497 - Vulnerability Details - OpenCVE

Weak Authentication vulnerability in PickPlugins User Verification user-verification allows Authentication Abuse.This issue affects User Verification: from n/a through <= 2.0.45.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00022.

Key SSVC decision points have not yet been added.

Vendors	Products
Pickplugins	User Verification
Wordpress	Wordpress

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Pickplugins	User Verification
Wordpress	Wordpress

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/user-verification/vulnerability/wordpress-user-verification-plugin-2-0-45-email-verification-bypass-vulnerability?_s_id=cve

History

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pickplugins Pickplugins user Verification Wordpress Wordpress wordpress
Vendors & Products		Pickplugins Pickplugins user Verification Wordpress Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Weak Authentication vulnerability in PickPlugins User Verification user-verification allows Authentication Abuse.This issue affects User Verification: from n/a through <= 2.0.45.
Title		WordPress User Verification plugin <= 2.0.45 - Email Verification Bypass vulnerability
Weaknesses		CWE-1390
References		https://patchstack.com/database/Wordpress/Plugin/user-verification/vulnerability/wordpress-user-verification-plugin-2-0-45-email-verification-bypass-vulnerability?_s_id=cve

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-03-25T16:14:59.736Z

Updated: 2026-03-26T20:29:50.008Z

Reserved: 2026-03-12T11:12:00.510Z

Link: CVE-2026-32497

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-25T17:17:01.533

Modified: 2026-03-25T17:17:01.533

Link: CVE-2026-32497

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-26T11:37:30Z

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32497", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:00.510Z", "datePublished": "2026-03-25T16:14:59.736Z", "dateUpdated": "2026-03-26T20:29:50.008Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "user-verification", "product": "User Verification", "vendor": "PickPlugins", "versions": [{"changes": [{"at": "2.0.46", "status": "unaffected"}], "lessThanOrEqual": "<= 2.0.45", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:37.970Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Weak Authentication vulnerability in PickPlugins User Verification user-verification allows Authentication Abuse.<p>This issue affects User Verification: from n/a through <= 2.0.45.</p>"}], "value": "Weak Authentication vulnerability in PickPlugins User Verification user-verification allows Authentication Abuse.This issue affects User Verification: from n/a through <= 2.0.45."}], "impacts": [{"capecId": "CAPEC-114", "descriptions": [{"lang": "en", "value": "Authentication Abuse"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1390", "description": "Weak Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:59.736Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/user-verification/vulnerability/wordpress-user-verification-plugin-2-0-45-email-verification-bypass-vulnerability?_s_id=cve"}], "title": "WordPress User Verification plugin <= 2.0.45 - Email Verification Bypass vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T20:29:20.112136Z", "id": "CVE-2026-32497", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T20:29:50.008Z"}}]}}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.0.45]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "2.0.46"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "User Verification", "source": "cna", "vendor": "PickPlugins"}, "product": "user_verification", "vendor": "pickplugins"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T19:23:25.800367+00:00", "value": {"mitigation_remediation": ["Update the User Verification plugin to a version newer than 2.0.45.", "If an immediate update is not possible, temporarily disable the plugin to prevent exploitation.", "Audit user accounts for signs of unauthorized access and enforce stricter verification measures.", "Monitor server logs for abnormal authentication attempts and investigate any anomalies."], "summary": {"action": "Patch Immediately", "impact": "Unauthenticated Account Access"}, "threat_synthesis": {"affected_systems": "Any WordPress site using the PickPlugins User Verification plugin version 2.0.45 or earlier is affected. All releases up to and including 2.0.45 are known to contain the bug and can be exploited when the plugin is active.\n", "description_and_impact": "The User Verification plugin contains a weakness in its authentication flow that allows an attacker to bypass the mandatory email verification step and log in as any user. This flaw is identified as authentication abuse (CWE-1390), enabling unauthorized access to WordPress user accounts and potential escalation of privileges.\n", "risk_and_exploitability": "The public description of the vulnerability does not report an EPSS score, and the vulnerability is not listed in the CISA KEV catalog, indicating that it has not been observed as a widely exploited issue yet. However, exploitation can be performed by an attacker who supplies a forged or omitted email verification link, bypassing the intended check. Because no special prerequisites are required, the risk remains significant for any site relying on this plugin for authentication control."}}}}, "created": "2026-03-25T21:43:31.493535+00:00", "updated": "2026-03-26T11:37:30.870182+00:00", "vendors": ["pickplugins", "pickplugins$PRODUCT$user_verification", "wordpress", "wordpress$PRODUCT$wordpress"]}