Executive Summary
A critical authentication bypass vulnerability (CVE-2026-5722) has been disclosed in the MoreConvert Pro plugin for WordPress, affecting all versions up to and including 1.9.14. The flaw carries a CVSS score of 9.8 — indicating maximum severity for a network-exploitable, unauthenticated attack path.
The vulnerability exists in the plugin's guest waitlist verification flow. When a customer's email address is changed, the system fails to invalidate or regenerate the associated verification token. An attacker can reuse a previously issued token alongside a substituted email address to authenticate as an arbitrary registered user without possessing their password.
Site owners running any affected version should apply the vendor patch immediately or disable the MoreConvert Pro waitlist feature until the update is applied.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-5722 |
| CVSS Score | 9.8 (Critical) |
| CWE | CWE-288 — Authentication Bypass Using an Alternate Path or Channel |
| Type | Authentication Bypass / Account Takeover |
| Attack Vector | Network |
| Privileges Required | None (unauthenticated) |
| User Interaction | None |
| Affected Versions | All ≤ 1.9.14 |
| Patch Available | Yes — update to the latest patched release |
Affected Versions
| Plugin | Affected Versions | Fixed Version |
|---|---|---|
| MoreConvert Pro | All versions ≤ 1.9.14 | 1.9.15+ (check vendor advisory) |
Technical Analysis
Root Cause
The MoreConvert Pro plugin provides e-commerce conversion tools for WooCommerce-powered WordPress stores, including a guest waitlist feature that notifies customers when out-of-stock products become available. As part of this flow, the plugin issues verification tokens to guests to confirm their identity before performing waitlist-related operations.
The critical flaw: when a customer's email address is updated, the plugin does not invalidate or regenerate the verification token bound to the previous address. The old token remains valid and is not tied to a confirmed email.
An attacker can therefore:
- Obtain a valid verification token (e.g., issued to their own guest session or observed in a URL)
- Submit that token in a verification request along with a different user's email address
- The plugin validates the token as legitimate (it was legitimately issued), then authenticates the request against the supplied email — granting access to that account
Attack Flow
1. Attacker triggers a guest waitlist signup and receives a verification token via email
2. Target user (with an existing account) changes their email address
3. Old token remains valid — it was not regenerated or revoked
4. Attacker constructs a crafted POST request:
- verification_token: [attacker's still-valid token]
- email: [target user's original or new email]
5. Plugin validates token signature — token is valid
6. Plugin looks up user by email — returns target account
7. Plugin authenticates the session as the target user
8. Attacker is now logged in without knowing the target's passwordExploitation Conditions
- MoreConvert Pro version 1.9.14 or earlier must be installed and active
- The waitlist/backorder notification feature must be enabled (common in WooCommerce stores)
- The attacker needs a valid unexpired verification token (obtainable via their own guest signup)
- The attacker needs a registered email address on the site (discoverable via product review authors, WooCommerce checkout exposure, or past data leaks)
Impact Assessment
| Impact Area | Description |
|---|---|
| Account Takeover | Any registered user account, including administrators, can be hijacked |
| Order Manipulation | Attacker can view, modify, or cancel orders associated with compromised accounts |
| PII Exfiltration | Billing addresses, phone numbers, and purchase history exposed |
| Privilege Escalation | If an admin account is targeted, full WordPress control is possible |
| Payment Data Exposure | Saved payment methods or stored card tokens may be accessible via account dashboard |
| Reputation Damage | Customer accounts compromised through a store's own plugin |
Immediate Remediation
Step 1: Update MoreConvert Pro
Update the plugin to the latest version through the WordPress admin panel:
Plugins > Installed Plugins > MoreConvert Pro > Update Now
Or via WP-CLI:
wp plugin update moreconvert-pro
# Verify version after update
wp plugin get moreconvert-pro --field=versionStep 2: Disable Waitlist Feature if Update Is Delayed
If an immediate update is not possible, disable the guest waitlist / backorder notification functionality in MoreConvert Pro settings to remove the vulnerable code path.
Step 3: Audit for Compromise
# Check for recently created or modified administrator accounts
wp user list --role=administrator --fields=user_login,user_email,user_registered
# Look for accounts with recent login from unexpected IPs (requires audit log plugin)
# Check recent order changes or profile edits across all roles
wp db query "SELECT user_login, user_email, user_registered FROM wp_users WHERE user_registered > DATE_SUB(NOW(), INTERVAL 14 DAY);"
# Search for suspicious active sessions
wp db query "SELECT user_id, meta_value FROM wp_usermeta WHERE meta_key = 'session_tokens';" | grep -v "^$"Step 4: Harden Post-Update
# Invalidate all existing user sessions to force re-authentication
wp db query "DELETE FROM wp_usermeta WHERE meta_key = 'session_tokens';"
# Regenerate WordPress secret keys
wp config shuffle-salts
# Verify plugin integrity
wp plugin verify-checksums moreconvert-proDetection Indicators
| Indicator | Description |
|---|---|
| Login events from unfamiliar IPs on customer accounts | Possible account takeover |
| Profile email or address changes not initiated by account owner | Post-compromise data modification |
| Unexpected order cancellations or address updates | Attacker manipulating account data |
| New admin accounts created recently | Privilege escalation attempt |
| Verification token parameters in unusual request patterns | Exploitation attempt in access logs |
Post-Remediation Checklist
- Update MoreConvert Pro to the latest patched version
- Disable the waitlist feature if the patch cannot be applied immediately
- Invalidate all active user sessions to evict any attacker sessions
- Audit administrator accounts — remove any unrecognized entries
- Review access logs for suspicious login patterns over the past 30 days
- Reset passwords for any accounts showing anomalous login activity
- Regenerate WordPress secret keys to invalidate all existing auth cookies
- Enable two-factor authentication for administrator and editor accounts
- Deploy a Web Application Firewall with WordPress rule sets (Wordfence, Cloudflare)
- Monitor for continued exploitation and alert on token-reuse request patterns