3 Critical WordPress Plugin Vulnerabilities Patched in Just 9 Days

The WordPress security landscape has seen an intense start to May 2026. Between April 24 and May 2, three separate CRITICAL vulnerabilities were discovered and patched across widely-used plugins — all carrying a CVSS score of 9.8. Here is what happened, what was affected, and what you need to do.

1. CVE-2026-4882: Arbitrary File Upload in User Registration Advanced Fields

User Registration Advanced Fields (premium addon) extends WordPress user registration forms with additional field types including file uploads. The URAF_AJAX::method_upload function failed to validate the uploaded file type, allowing unauthenticated attackers to upload arbitrary files — including PHP shells — to the server.

Important caveat: This vulnerability can only be exploited if a “Profile Picture” field has been added to the registration form. Still, given that file upload support is the primary feature of this plugin, most active installations have this field enabled.

An attacker who successfully uploads a PHP web shell gains complete remote code execution on the server, which means they can read, modify, or delete any file, access the database, and install persistent backdoors.

2. CVE-2026-7458: Authentication Bypass in PickPlugins User Verification

User Verification by PickPlugins handles email verification and OTP-based login for WordPress sites. The vulnerability lies in the user_verification_form_wrap_process_otpLogin function, which uses PHP’s loose comparison operator (==) instead of strict comparison (===) when validating OTP codes.

This is a classic PHP type juggling vulnerability. When the OTP is compared using ==, sending the value true (boolean) can match against a numeric or string OTP value under certain conditions. The result: an unauthenticated attacker can log in as any user with a verified email address — including administrators — without knowing their password or the correct OTP.

3. CVE-2026-7567: Authentication Bypass in Temporary Login

Temporary Login by StoreApps allows site administrators to generate temporary login links for support staff. The vulnerability occurs when the temp-login-token GET parameter is passed as an array (?temp-login-token[]=x). PHP’s empty() check returns false for arrays, sanitize_key() returns an empty string, and WordPress returns all users with the temporary login meta key — allowing the attacker to authenticate as any of them.

We covered this vulnerability in detail in our dedicated CVE analysis.

The Big Picture

What do these three vulnerabilities have in common? All three are:

• Critical severity (CVSS 9.8) — remotely exploitable, no authentication required
• Rooted in PHP language quirks — array input handling, loose comparison, type confusion
• Patchable — all three plugins have released fixes

This cluster of critical vulnerabilities highlights an uncomfortable reality: PHP’s type system has been the source of countless WordPress plugin flaws, and it will continue to be. Plugin authors must adopt strict typing and defensive input validation as a baseline, not an afterthought.

What You Should Do Now

1. Update all three plugins — User Registration Advanced Fields to 1.6.21+, User Verification to 2.0.47+, and Temporary Login to 1.0.1+
2. Check your logs — Look for unusual POST requests with file uploads that may indicate exploitation of CVE-2026-4882
3. Review admin accounts — Verify no unauthorized administrator accounts have been created
4. Install a security plugin — Use Trusti Security to get real-time vulnerability alerts and automated monitoring for all your WordPress plugins

The next critical vulnerability is already being discovered. Make sure your defenses are in place before it hits your site.