CVE-2026-5722 CRITICAL

CVE-2026-5722: MoreConvert Pro <= 1.9.14 - Authentication Bypass via Waitlist Guest Verification Token Reuse

Vendor Moreconvert
Product MoreConvert Pro
Weakness CWE-287 · Improper authentication
Published May 5, 2026
Last update May 5, 2026

CVSS base score

9.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or regenerating verification tokens when the customer email address is changed. This makes it possible for unauthenticated attackers to authenticate as existing users, including administrators, by obtaining a valid guest verification token for an attacker-controlled email, changing the same guest customer email to the target account email through the public waitlist flow, and then using the original verification link.

Explanation of Vulnerability in Simple Terms

02Summary

MoreConvert Pro versions 1.9.14 and earlier contain an authentication bypass vulnerability. An attacker can gain unauthorized access to the application without valid credentials. The flaw stems from improper authentication checks that fail to validate user identity before granting access to sensitive functions. Immediate patching is required.

What an attacker can do

03Attacker Capabilities

Gain full unauthorized access to MoreConvert Pro without providing valid login credentials.

Potential impact on your site

04Site Impact

Attackers can read, modify, or delete data; compromise user accounts; and potentially run code on your server.

Conditions required to exploit

05Prerequisites

Network access to the MoreConvert Pro installation; no authentication or user interaction required.

Key dates

06Disclosure timeline

May 5, 2026 CVE published
May 5, 2026 Record updated