Does User Verification by PickPlugins have any unpatched vulnerabilities?

No. All known vulnerabilities in User Verification by PickPlugins have been patched as of the latest data update. Always keep the plugin updated to the latest version.

Is User Verification by PickPlugins compatible with WordPress 6.9.4?

According to WordPress.org data, User Verification by PickPlugins 2.0.46 has been tested up to WordPress 6.9.4. Check the plugin's changelog for the latest compatibility information.

How often is User Verification by PickPlugins updated?

User Verification by PickPlugins was last updated on Feb 14, 2026. Frequent updates are generally a positive security signal.

What is User Verification by PickPlugins's security score?

User Verification by PickPlugins has a WP-Safety security score of 88/100. This score is computed from CVE history, patch response time, developer trust signals, and plugin maintenance activity.

User Verification by PickPlugins Security & Risk Analysis

wordpress.org/plugins/user-verification

Email verification for user registration to protect spam.

5K active installs v2.0.46 PHP + WP 4.1+ Updated Feb 14, 2026

email-otpemail-validationemail-verificationhide-loginpasswordless-login

A · Safe

CVEs total2

Unpatched0

Last CVEDec 4, 2025

Plugin page Download

Safety Verdict

Is User Verification by PickPlugins Safe to Use in 2026?

Generally Safe

Score 88/100

User Verification by PickPlugins has a strong security track record. Known vulnerabilities have been patched promptly.

2 known CVEsLast CVE: Dec 4, 2025Updated 1mo ago

Risk Assessment

The "user-verification" plugin v2.0.46 exhibits a mixed security posture. While it demonstrates good practices with a high percentage of properly escaped outputs and 100% use of prepared statements for SQL queries, several areas raise concerns. The presence of dangerous functions like `shell_exec` warrants close attention, as does the taint analysis revealing two high-severity flows with unsanitized paths. The vulnerability history, despite having no currently unpatched CVEs, shows a past of two critical vulnerabilities, both related to improper authentication. This pattern suggests a potential recurring weakness that, if not addressed thoroughly, could resurface.

The attack surface is moderately sized, with a single unprotected REST API route being a significant oversight. The plugin also utilizes bundled libraries, which can introduce risks if not managed and updated diligently. Overall, while some security aspects are robust, the combination of specific code-level risks like the dangerous function and unsanitized taint flows, coupled with historical improper authentication vulnerabilities, indicates a need for vigilance and potential further review to ensure comprehensive security.

Key Concerns

Unprotected REST API route
High severity taint flow (x2)
Dangerous function (shell_exec)
Bundled library (Select2)
Past critical vulnerabilities (x2)

Vulnerabilities

User Verification by PickPlugins Security Vulnerabilities

CVEs by Year

1 CVE in 2022

2022

1 CVE in 2025

2025

Patched Has unpatched

Severity Breakdown

Critical

2 total CVEs

CVE-2025-12374critical · 9.8Improper Authentication

Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification <= 2.0.44 - Authentication Bypass to Account Takeover

Dec 4, 2025 Patched in 2.0.45 (46d)

CVE-2022-4693critical · 9.8Improper Authentication

User Verification <= 1.0.93 - Privilege Escalation

Dec 28, 2022 Patched in 1.0.94 (391d)

Code Analysis

Analyzed Mar 16, 2026

User Verification by PickPlugins Code Analysis

Dangerous Functions

Raw SQL Queries

13 prepared

Unescaped Output

660 escaped

Nonce Checks

Capability Checks

File Operations

External Requests

Bundled Libraries

Dangerous Functions Found

shell_exec$whoisData = shell_exec("whois " . escapeshellarg($domain));includes\classes\class-email-verifier.php:285

Bundled Libraries

Select2

SQL Query Safety

100% prepared13 total queries

Output Escaping

94% escaped702 total outputs

Data Flows

8 unsanitized

Data Flow Analysis

14 flows8 with unsanitized paths

user_verification_login_recaptcha_validate (includes\functions-recaptcha.php:75)

Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized

Attack Surface

1 unprotected

User Verification by PickPlugins Attack Surface

Entry Points20

Unprotected1

AJAX Handlers 3

authwp_ajax_user_verification_resend_form_submitincludes\functions-ajax.php:176

noprivwp_ajax_user_verification_resend_form_submitincludes\functions-ajax.php:177

authwp_ajax_user_verification_reset_email_templatesincludes\functions.php:465

REST API Routes 8

POST/wp-json/user-verification/v2/stats_counterincludes\functions-rest.php:21

POST/wp-json/user-verification/v2/process_form_dataincludes\functions-rest.php:32

POST/wp-json/user-verification/v2/user_roles_listincludes\functions-rest.php:42

POST/wp-json/user-verification/v2/page_listincludes\functions-rest.php:53

POST/wp-json/user-verification/v2/update_optionsincludes\functions-rest.php:66

POST/wp-json/user-verification/v2/get_optionsincludes\functions-rest.php:82

POST/wp-json/user-verification/v2/validated_emailincludes\functions-rest.php:93

POST/wp-json/user-verification/v2/get_postsincludes\functions-rest.php:108

Shortcodes 9

[user_verification_otp_login_form] includes\classes\class-shortcodes.php:16

[user_verification_magic_login_form] includes\classes\class-shortcodes.php:17

[user_verification_clean_user_meta] includes\functions-cron-hook.php:11

[user_verification_validated_users_email] includes\functions-cron-hook.php:174

[user_verification_is_emaildomain_blocked] includes\functions.php:203

[user_verification_is_emaildomain_allowed] includes\functions.php:244

[user_verification_check] includes\functions.php:486

[user_verification_message] includes\functions.php:490

[uv_resend_verification_form] includes\functions.php:513

WordPress Hooks 103

actionbp_signup_validateincludes\3rd-party\buddypress\functions-buddypress.php:55

actionbp_core_signup_userincludes\3rd-party\buddypress\functions-buddypress.php:65

filterbp_members_signup_columnsincludes\3rd-party\buddypress\functions-buddypress.php:80

filterbp_members_signup_custom_columnincludes\3rd-party\buddypress\functions-buddypress.php:145

filtermepr-validate-signupincludes\3rd-party\memberpress\functions-memberpress.php:58

actionnsl_register_new_userincludes\3rd-party\nextend-facebook-connect\functions.php:7

filteruser_verification_email_templates_dataincludes\3rd-party\nextend-facebook-connect\functions.php:16

filterpmpro_confirmation_urlincludes\3rd-party\paid-memberships-pro\functions-paid-memberships-pro.php:5

filterpmpro_confirmation_messageincludes\3rd-party\paid-memberships-pro\functions-paid-memberships-pro.php:19

actionwp_footerincludes\3rd-party\paid-memberships-pro\functions-paid-memberships-pro.php:54

filterpmpro_registration_checksincludes\3rd-party\paid-memberships-pro\functions-paid-memberships-pro.php:109

filterpmpro_registration_checksincludes\3rd-party\paid-memberships-pro\functions-paid-memberships-pro.php:133

filterpmpro_registration_checksincludes\3rd-party\paid-memberships-pro\functions-paid-memberships-pro.php:160

actionpmpro_after_checkoutincludes\3rd-party\paid-memberships-pro\functions-paid-memberships-pro.php:324

filteruser_verification_settings_tabsincludes\3rd-party\paid-memberships-pro\settings-hook.php:4

actionuser_verification_settings_content_paid_memberships_proincludes\3rd-party\paid-memberships-pro\settings-hook.php:26

actionum_registration_after_auto_loginincludes\3rd-party\ultimate-member\functions-ultimate-member.php:4

actionum_profile_before_headerincludes\3rd-party\ultimate-member\functions-ultimate-member.php:18

actionum_add_error_on_form_submit_validationincludes\3rd-party\ultimate-member\functions-ultimate-member.php:33

filteruser_verification_settings_tabsincludes\3rd-party\ultimate-member\settings-hook.php:4

actionuser_verification_settings_content_ultimate_memberincludes\3rd-party\ultimate-member\settings-hook.php:25

actionwoocommerce_checkout_processincludes\3rd-party\woocommerce\functions-woocommerce.php:5

actionwoocommerce_checkout_processincludes\3rd-party\woocommerce\functions-woocommerce.php:34

filterwoocommerce_process_registration_errorsincludes\3rd-party\woocommerce\functions-woocommerce.php:57

filterwoocommerce_process_registration_errorsincludes\3rd-party\woocommerce\functions-woocommerce.php:80

actionwoocommerce_checkout_order_processedincludes\3rd-party\woocommerce\functions-woocommerce.php:103

actionwoocommerce_thankyouincludes\3rd-party\woocommerce\functions-woocommerce.php:118

filterwoocommerce_registration_redirectincludes\3rd-party\woocommerce\functions-woocommerce.php:152

actionwoocommerce_before_customer_login_formincludes\3rd-party\woocommerce\functions-woocommerce.php:196

filteruser_verification_settings_tabsincludes\3rd-party\woocommerce\settings-hook.php:4

actionuser_verification_settings_content_woocommerceincludes\3rd-party\woocommerce\settings-hook.php:24

actionuser_verification_settings_content_recaptchaincludes\3rd-party\woocommerce\settings-hook.php:145

actionwpum_auto_login_user_after_registrationincludes\3rd-party\wp-user-manager\functions.php:43

actionsubmit_wpum_form_validate_fieldsincludes\3rd-party\wp-user-manager\functions.php:59

filteruser_verification_settings_tabsincludes\3rd-party\wp-user-manager\settings-hook.php:4

actionuser_verification_settings_content_wp_user_managerincludes\3rd-party\wp-user-manager\settings-hook.php:25

actionadmin_noticesincludes\classes\class-admin-notices.php:11

actionadmin_noticesincludes\classes\class-admin-notices.php:12

actionadmin_noticesincludes\classes\class-admin-notices.php:13

actionadmin_noticesincludes\classes\class-admin-notices.php:14

filtermanage_users_custom_columnincludes\classes\class-column-users.php:14

filtermanage_users_columnsincludes\classes\class-column-users.php:15

actionwp_footerincludes\classes\class-manage-verification.php:12

actionwp_footerincludes\classes\class-manage-verification.php:13

actionadmin_menuincludes\classes\class-settings.php:10

actionuser_verification_clean_user_metaincludes\functions-cron-hook.php:13

actionuser_verification_delete_unverified_userincludes\functions-cron-hook.php:61

actionuser_verification_existing_user_verifiedincludes\functions-cron-hook.php:130

actionuser_verification_validated_users_emailincludes\functions-cron-hook.php:177

filterregistration_errorsincludes\functions-email-validation.php:5

filterauthenticateincludes\functions-email-validation.php:109

actiontrash_commentincludes\functions-isspammy.php:124

actionspam_commentincludes\functions-isspammy.php:203

filterregistration_errorsincludes\functions-isspammy.php:245

actioncomment_form_afterincludes\functions-isspammy.php:326

filterpre_comment_approvedincludes\functions-isspammy.php:347

actionwp_login_failedincludes\functions-login-attempt.php:8

actionwp_loginincludes\functions-login-attempt.php:111

actionlogin_formincludes\functions-recaptcha.php:14

filterwp_authenticate_userincludes\functions-recaptcha.php:74

actionregister_formincludes\functions-recaptcha.php:127

filterregistration_errorsincludes\functions-recaptcha.php:189

actionlostpassword_formincludes\functions-recaptcha.php:224

actionwoocommerce_login_formincludes\functions-recaptcha.php:277

actionwoocommerce_register_formincludes\functions-recaptcha.php:340

actionwoocommerce_register_postincludes\functions-recaptcha.php:404

actionwoocommerce_lostpassword_formincludes\functions-recaptcha.php:440

actionlostpassword_postincludes\functions-recaptcha.php:500

filtercomment_form_defaultsincludes\functions-recaptcha.php:543

filterpreprocess_commentincludes\functions-recaptcha.php:619

actionrest_api_initincludes\functions-rest.php:11

actionshow_user_profileincludes\functions-user-profile.php:5

actionedit_user_profileincludes\functions-user-profile.php:6

actionpersonal_options_updateincludes\functions-user-profile.php:8

actionedit_user_profile_updateincludes\functions-user-profile.php:9

filterbulk_actions-usersincludes\functions.php:25

filterhandle_bulk_actions-usersincludes\functions.php:40

actionadmin_noticesincludes\functions.php:68

filterregistration_errorsincludes\functions.php:153

filterregistration_errorsincludes\functions.php:177

filterregistration_errorsincludes\functions.php:330

filterregistration_errorsincludes\functions.php:359

actioninitincludes\functions.php:552

filterauthenticateincludes\functions.php:595

actionuser_registerincludes\functions.php:725

actionprofile_updateincludes\functions.php:890

actioninitincludes\functions.php:1053

filterwp_mail_fromincludes\functions.php:1056

filterwp_mail_from_nameincludes\functions.php:1072

actionrestrict_manage_usersincludes\functions.php:1126

filterpre_get_usersincludes\functions.php:1170

actionwp_print_footer_scriptsincludes\functions.php:1191

filteruser_verification_form_wrap_process_otpLogintemplates\email-otp-login-form\hook.php:4

actionuser_verification_otp_login_formtemplates\email-otp-login-form\index.php:4

filteruser_verification_form_wrap_process_magicLogintemplates\magic-login-form\hook.php:4

actioninittemplates\magic-login-form\hook.php:170

actionuser_verification_magic_login_formtemplates\magic-login-form\index.php:4

actionplugins_loadeduser-verification.php:35

filtercron_schedulesuser-verification.php:38

actionwp_enqueue_scriptsuser-verification.php:39

actionlogin_enqueue_scriptsuser-verification.php:40

actionadmin_enqueue_scriptsuser-verification.php:174

actionadmin_enqueue_scriptsuser-verification.php:175

Scheduled Events 3

user_verification_clean_user_meta

user_verification_verify_reminder

user_verification_validated_users_email

Maintenance & Trust

User Verification by PickPlugins Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4

Last updatedFeb 14, 2026

PHP min version

Downloads331K

Community Trust

Rating90/100

Number of ratings63

Active installs5K

Alternatives

User Verification by PickPlugins Alternatives

ZeroBounce Email Verification & Validation

zerobounce

ZeroBounce validates emails on your WordPress site in real-time, blocking invalid and risky emails to improve deliverability and reduce bounce rates.

1K 1 CVE

Clearout Email Validator – Real-Time Email Verification on WordPress Forms

clearout-email-validator

Block invalid emails like temporary, disposable, etc. with our real-time email verification. Verify email address during form-fill and stop form spam.

600 1 CVE

DeBounce Email Validator

debounce-io-email-validator

Real-time email validation for WordPress forms. Block invalid, disposable, and risky emails to keep your database clean and improve deliverability.

300 4 CVEs

QuickEmailVerification

quickemailverification

100

The QuickEmailVerification email verification plugin to avoid fake, bad and nonexistent emails.

200 No CVEs

Dilli Email Validator

dilli-email-validator

100

Validates email addresses in real-time and blocks form submissions with invalid or fake emails. Reduce spam, fix typos, and capture quality leads.

100 No CVEs

Developer Profile

User Verification by PickPlugins Developer Profile

PickPlugins

14 plugins · 94K total installs

trust score

Avg Security Score

83/100

Avg Patch Time

344 days

View full developer profile

Detection Fingerprints

How We Detect User Verification by PickPlugins

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths

/wp-content/plugins/user-verification/assets/css/custom.css/wp-content/plugins/user-verification/assets/css/style.css/wp-content/plugins/user-verification/assets/js/front.js/wp-content/plugins/user-verification/assets/js/vendor/jquery.validation.js

Script Paths

/wp-content/plugins/user-verification/assets/js/front.js/wp-content/plugins/user-verification/assets/js/vendor/jquery.validation.js

Version Parameters

user-verification/assets/css/custom.css?ver=user-verification/assets/css/style.css?ver=user-verification/assets/js/front.js?ver=user-verification/assets/js/vendor/jquery.validation.js?ver=

HTML / DOM Fingerprints

CSS Classes

user-verification-login-formuser-verification-magic-login-formuser-verification-email-otp-login-formuser-verification-stats-containeruv_user_profile_sectionuv-admin-notice

HTML Comments

+18 more

Data Attributes

data-uv-actiondata-uv-type

JS Globals

UserVerificationVarsuv_user_verification_ajax_object

REST Endpoints

/wp-json/user-verification/v1/settings/wp-json/user-verification/v1/stats/wp-json/user-verification/v1/users

Shortcode Output

[user_verification_login_form][user_verification_magic_login_form][user_verification_email_otp_login_form]

FAQ

User Verification by PickPlugins Security & Risk Analysis

Is User Verification by PickPlugins Safe to Use in 2026?

Generally Safe

Key Concerns

User Verification by PickPlugins Security Vulnerabilities

CVEs by Year

Severity Breakdown

User Verification by PickPlugins Code Analysis

Dangerous Functions Found

Bundled Libraries

SQL Query Safety

Output Escaping

Data Flow Analysis

User Verification by PickPlugins Attack Surface

AJAX Handlers 3

REST API Routes 8

Shortcodes 9

Scheduled Events 3

User Verification by PickPlugins Maintenance & Trust

Maintenance Signals

Community Trust

User Verification by PickPlugins Alternatives

ZeroBounce Email Verification & Validation

Clearout Email Validator – Real-Time Email Verification on WordPress Forms

DeBounce Email Validator

QuickEmailVerification

Dilli Email Validator

User Verification by PickPlugins Developer Profile

How We Detect User Verification by PickPlugins

Asset Fingerprints

HTML / DOM Fingerprints

Frequently Asked Questions about User Verification by PickPlugins