CVE-2026-5722 - Vulnerability Details

Description

The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or regenerating verification tokens when the customer email address is changed. This makes it possible for unauthenticated attackers to authenticate as existing users, including administrators, by obtaining a valid guest verification token for an attacker-controlled email, changing the same guest customer email to the target account email through the public waitlist flow, and then using the original verification link.

Published: 2026-05-05

Score: 9.8 Critical

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability is a flaw in MoreConvert Pro's guest waitlist verification flow that neglects to invalidate or regenerate verification tokens when a customer email is altered. As a result, an attacker who has already collected a verification token for an email controlled by them can later change the guest customer's email address to that of a target user through the public waitlist interface. Using the original token, the attacker authenticates as the target, including privileged administrator users. This bypass of authentication directly compromises the confidentiality and integrity of the entire WordPress site, allowing full control of content, settings, and potentially the underlying database.

Affected Systems

This flaw affects all published releases of the MoreConvert Pro WordPress plugin up to and including version 1.9.14. All installations of MoreConvert Pro that have not been patched beyond that version are vulnerable and should be treated as at risk.

Risk and Exploitability

The CVSS score of 9.8 categorizes it as Critical, and while the EPSS score is not currently available, the lack of a known KEV listing does not diminish the potential for rapid exploitation. The attack path requires only a public-facing request to the waitlist endpoint; no privileged credentials or complex configuration are needed. Consequently, unauthenticated users can readily perform the token reuse and elevate themselves to administrator status. Immediate remediation is strongly recommended.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MoreConvert

MoreConvert Pro

unaffected

Version	Status	Constraints
`0`	affected	≤ 1.9.14

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade MoreConvert Pro to version 1.9.15 or newer, where the guest verification token is properly invalidated after email changes.
If an upgrade is not immediately possible, temporarily disable the guest waitlist feature or restrict access to the waitlist endpoint via firewall or role restrictions.
Review audit logs for unusual authentication events and monitor for persistence mechanisms that indicate exploitation.

Generated by OpenCVE AI on May 5, 2026 at 02:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://moreconvert.com/changelog/
https://wordpress.org/plugins/smart-wishlist-for-more-convert/
https://www.wordfence.com/threat-intel/vulnerabilities/id/fe887475-f7e8-4fda-a793-bc6f37b70f3e?source=cve

History

Tue, 05 May 2026 01:45:00 +0000

Type	Values Removed	Values Added
Description		The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or regenerating verification tokens when the customer email address is changed. This makes it possible for unauthenticated attackers to authenticate as existing users, including administrators, by obtaining a valid guest verification token for an attacker-controlled email, changing the same guest customer email to the target account email through the public waitlist flow, and then using the original verification link.
Title		MoreConvert Pro <= 1.9.14 - Authentication Bypass via Waitlist Guest Verification Token Reuse
Weaknesses		CWE-287
References		https://moreconvert.com/changelog/ https://wordpress.org/plugins/smart-wishlist-for-more-convert/ https://www.wordfence.com/threat-intel/vulnerabilities/id/fe887475-f7e8-4fda-a793-bc6f37b70f3e?source=cve
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-05T01:24:36.485Z

Updated: 2026-05-05T01:24:36.485Z

Reserved: 2026-04-06T20:32:04.084Z

Link: CVE-2026-5722

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-05T02:16:05.020

Modified: 2026-05-05T02:16:05.020

Link: CVE-2026-5722

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-05T02:30:13Z

Weaknesses

CWE-287

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object