External risk intelligence

WordPress plugin allows attackers to take over accounts

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-5722

A critical flaw in the MoreConvert Pro WordPress plugin lets anyone take over user accounts, including administrators, by tricking the system with fake verification codes. This affects public-facing websites and deserves immediate attention.

4Halo Surface Signal

Authentication Bypass

External exposure likelihood

Halo Surface Signal score for CVE-2026-5722

This vulnerability affects a WordPress plugin, which functions as part of a public-facing web application. The vulnerable guest waitlist feature is designed to be accessible to visitors over the internet, making the exposed surface inherently reachable by any external user in standard deployments.

Horizon Alert

Summary of the vulnerability and why it matters

The MoreConvert Pro plugin for WordPress has an authentication bypass flaw that allows attackers to take over user accounts. This happens because the plugin doesn't properly invalidate verification tokens when email addresses are changed, enabling unauthorized access to sensitive information and administrative functions.

Unauthenticated attackers can gain access.
It affects existing user accounts.
This issue is critical.

Attack Path

How an attacker could exploit the issue

Unauthenticated attackers can gain administrator access to WordPress sites using the MoreConvert Pro plugin by exploiting a flaw in the guest waitlist verification. They can obtain a verification token for an attacker-controlled email, change that email in the waitlist to a target account's email, and then use the original token to authenticate as that target user.

Public waitlist feature abuse.
Authenticated as any user.
No prior access required.

Live Threat

Current exploitation, exposure, and threat context

This WordPress plugin vulnerability allows unauthenticated attackers to take over user accounts, including administrator roles. Attackers will likely find this attractive because it bypasses authentication with a critical impact. While there is no direct evidence of active exploitation, the potential for widespread compromise is significant.

Affects public-facing plugin.
No public exploit code observed.
KEV list does not include.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize identifying and blocking malicious traffic attempting to exploit the authentication bypass in the MoreConvert Pro WordPress plugin. The vulnerability allows unauthenticated attackers to impersonate existing users, including administrators, by manipulating verification tokens. Immediately investigate logs for suspicious activity related to guest waitlist verification and user impersonation.

Block traffic from suspicious IPs.
Monitor for unauthorized user logins.
Block access to the waitlist feature.

Frequently asked questions

What is the MoreConvert Pro plugin and its function on WordPress sites?

MoreConvert Pro is a WordPress plugin designed to help website owners manage customer waitlists. It allows users to sign up for notifications about product availability or exclusive offers.

What is the authentication bypass vulnerability in MoreConvert Pro?

The vulnerability is an authentication bypass (CWE-287) where attackers can trick the MoreConvert Pro plugin into granting them administrator privileges without proper credentials. This is possible because verification tokens are not properly handled when an email address is changed.

How can an attacker exploit the MoreConvert Pro authentication bypass?

An attacker can exploit this by obtaining a valid verification token for an email they control. They then change the email associated with the waitlist to a target user's email and use the original token to authenticate as that user, potentially gaining administrative access.

How critical is the MoreConvert Pro authentication bypass vulnerability?

This vulnerability is rated as CRITICAL, with a base score of 9.8 out of 10. The attack vector is network-based, requires no privileges, and has no user interaction, making it highly exploitable and dangerous.

What steps should be taken to address the MoreConvert Pro vulnerability?

It is recommended to identify and block any malicious traffic attempting to exploit this authentication bypass. Monitoring logs for suspicious activity related to waitlist verification and unauthorized logins is crucial. Blocking access to the waitlist feature can also mitigate risk.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.