MoreConvert Pro WordPress Plugin Critical Authentication Bypass (CVE-2026-5722)
The MoreConvert Pro plugin for WordPress is exposed to a critical authentication bypass vulnerability, identified as CVE-2026-5722. According to the National Vulnerability Database, all versions up to and including 1.9.14 are affected. This flaw stems from an oversight in the guest waitlist verification process, where verification tokens are not properly invalidated or regenerated when a customer’s email address is changed.
This design flaw creates a dangerous window for unauthenticated attackers. They can obtain a valid guest verification token for an email they control, then manipulate the public waitlist flow to change that same guest customer email to a target account’s email address. Crucially, they can then leverage the original verification link to authenticate as the target user, including high-privilege administrators.
With a CVSS score of 9.8 (Critical), this vulnerability represents a severe risk. It effectively allows full account takeover without requiring any prior authentication, making it a prime target for attackers looking to gain deep access to WordPress sites. The attacker’s calculus here is straightforward: exploit a broken authentication mechanism to gain control, then pivot to broader compromise.
What This Means For You
- If your organization uses the MoreConvert Pro plugin for WordPress, you are critically exposed to full administrator account takeover. Immediately audit all WordPress sites for this plugin and ensure it is either patched to a secure version (if available) or removed. Review all administrative user logs for any suspicious authentication events that coincide with this vulnerability's disclosure.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-5722: MoreConvert Pro WordPress Authentication Bypass via Guest Waitlist
title: CVE-2026-5722: MoreConvert Pro WordPress Authentication Bypass via Guest Waitlist
id: scw-2026-05-05-ai-1
status: experimental
level: critical
description: |
This rule detects the specific AJAX action used in the MoreConvert Pro WordPress plugin's guest waitlist verification flow. Exploitation of CVE-2026-5722 involves manipulating this flow to bypass authentication by changing customer email addresses and reusing verification tokens. This detection focuses on the initial access vector of the vulnerability.
author: SCW Feed Engine (AI-generated)
date: 2026-05-05
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-5722/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/wp-admin/admin-ajax.php'
cs-uri-query|contains:
- 'action=moreconvert_guest_waitlist_verification'
cs-method|contains:
- 'POST'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-5722 | Auth Bypass | MoreConvert Pro plugin for WordPress versions <= 1.9.14 |
| CVE-2026-5722 | Auth Bypass | Guest waitlist verification flow |
| CVE-2026-5722 | Auth Bypass | Failure to invalidate/regenerate verification tokens upon email change |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 05, 2026 at 05:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6704 — Cross-Site Scripting (XSS)
CVE-2026-6704 — The Blog Settings plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including,...
CVE-2026-6702 — The Publish 2 Ping.fm plugin for WordPress is vulnerable to
CVE-2026-6702 — The Publish 2 Ping.fm plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is...
CVE-2026-6701 — The addfreespace plugin for WordPress is vulnerable to
CVE-2026-6701 — The addfreespace plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 0.1.3. This is due to...