{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32497", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:00.510Z", "datePublished": "2026-03-25T16:14:59.736Z", "dateUpdated": "2026-03-25T16:14:59.736Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "user-verification", "product": "User Verification", "vendor": "PickPlugins", "versions": [{"changes": [{"at": "2.0.46", "status": "unaffected"}], "lessThanOrEqual": "<= 2.0.45", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nguyen Ba Khanh | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:37.970Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Weak Authentication vulnerability in PickPlugins User Verification user-verification allows Authentication Abuse.<p>This issue affects User Verification: from n/a through <= 2.0.45.</p>"}], "value": "Weak Authentication vulnerability in PickPlugins User Verification user-verification allows Authentication Abuse.This issue affects User Verification: from n/a through <= 2.0.45."}], "impacts": [{"capecId": "CAPEC-114", "descriptions": [{"lang": "en", "value": "Authentication Abuse"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-1390", "description": "Weak Authentication", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:59.736Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/user-verification/vulnerability/wordpress-user-verification-plugin-2-0-45-email-verification-bypass-vulnerability?_s_id=cve"}], "title": "WordPress User Verification plugin <= 2.0.45 - Email Verification Bypass vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Weak Authentication vulnerability in PickPlugins User Verification user-verification allows Authentication Abuse.This issue affects User Verification: from n/a through <= 2.0.45."}], "id": "CVE-2026-32497", "lastModified": "2026-03-25T17:17:01.533", "metrics": {}, "published": "2026-03-25T17:17:01.533", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/user-verification/vulnerability/wordpress-user-verification-plugin-2-0-45-email-verification-bypass-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-1390"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T19:23:25.800367+00:00", "value": {"mitigation_remediation": ["Update the User Verification plugin to a version newer than 2.0.45.", "If an immediate update is not possible, temporarily disable the plugin to prevent exploitation.", "Audit user accounts for signs of unauthorized access and enforce stricter verification measures.", "Monitor server logs for abnormal authentication attempts and investigate any anomalies."], "summary": {"action": "Patch Immediately", "impact": "Unauthenticated Account Access"}, "threat_synthesis": {"affected_systems": "Any WordPress site using the PickPlugins User Verification plugin version 2.0.45 or earlier is affected. All releases up to and including 2.0.45 are known to contain the bug and can be exploited when the plugin is active.\n", "description_and_impact": "The User Verification plugin contains a weakness in its authentication flow that allows an attacker to bypass the mandatory email verification step and log in as any user. This flaw is identified as authentication abuse (CWE-1390), enabling unauthorized access to WordPress user accounts and potential escalation of privileges.\n", "risk_and_exploitability": "The public description of the vulnerability does not report an EPSS score, and the vulnerability is not listed in the CISA KEV catalog, indicating that it has not been observed as a widely exploited issue yet. However, exploitation can be performed by an attacker who supplies a forged or omitted email verification link, bypassing the intended check. Because no special prerequisites are required, the risk remains significant for any site relying on this plugin for authentication control."}}}}, "created": "2026-03-25T21:43:31.493535+00:00", "updated": "2026-03-25T21:43:31.493566+00:00", "vendors": []}