The vulnerability manifests as a predictable account verification token in Pie Register plugin versions prior to 3.8.4.10. Because the token generation lacks sufficient randomness, an attacker can calculate or brute‑force a valid verification link without having access to the target's email inbox. Successful exploitation allows an attacker to activate an unverified user account and gain authenticated access to the WordPress site under the new user’s identity, potentially exposing sensitive content or enabling further privilege escalation. The weakness is a typical entropy deficiency (CWE‑330).

Affected systems are WordPress sites that have the Pie Register plugin installed with a version older than 3.8.4.10. The plugin is distributed under the name Pie Register, and no vendor identifier beyond "Unknown:Pie Register" is provided. There is no additional information about built‑in installation channels or custom deployments, so any website using a vulnerable version is at risk.

Risk assessment indicates that exploitation requires only the ability to generate the token and send the verification request, which can be performed over the public web interface. The CVSS score is not published, and the EPSS value is not available, yet the vulnerability is not listed in CISA’s KEV catalog. Despite the lack of a formal impact score, the potential for unauthenticated account takeover is high enough to warrant immediate remediation. Attackers are presumed to use automated enumeration or brute‑force to predict tokens, implying that the effort is modest for an attacker with moderate technical skill.