The vulnerability in the Brave Conversion Engine (PRO) plugin allows an attacker who is not logged in to authenticate as any existing user on the WordPress site. By exploiting a flaw in the way the plugin validates a claimed identity from Facebook, the attacker can assume the privileges of that user, including administrative rights. This constitutes a serious loss of confidentiality, integrity, and availability because an adversary can modify content, install further malware or exfiltrate data. Based on the description, it is inferred that the attacker would exploit the Facebook authentication flow to achieve this bypass.

WordPress sites running the Brave Conversion Engine (PRO) plugin, all released versions up to and including 0.7.7. Any site that has not upgraded past this version is susceptible. The issue is tied to the Facebook authentication workflow within the plugin.

The CVSS score of 9.8 places this flaw in the critical range, and while the EPSS score is below 1% indicating a low current exploitation probability, the lack of active defensive measures means that once discovered, attackers can rapidly exploit the open authentication path. The vulnerability is not listed in the CISA KEV catalog, but the combination of its high severity and confirmed authentication bypass makes it a high priority for remediation. An attacker can simply send a crafted request to the login endpoint using a forged Facebook token, bypassing any credential checks and receiving an authenticated session with administrative privileges. Based on the description, it is inferred that this exploitation method involves manipulating the Facebook authentication flow.