CVE-2026-5722 Overview
CVE-2026-5722 is an authentication bypass vulnerability in the MoreConvert Pro plugin for WordPress, affecting all versions up to and including 1.9.14. The flaw resides in the guest waitlist verification flow, which fails to invalidate or regenerate verification tokens when a customer email address is changed. Unauthenticated attackers can authenticate as any existing user, including administrators, by abusing the public waitlist flow. The weakness is classified under CWE-287: Improper Authentication.
Critical Impact
Unauthenticated remote attackers can take over administrator accounts on WordPress sites running MoreConvert Pro, leading to full site compromise.
Affected Products
- MoreConvert Pro plugin for WordPress, all versions through 1.9.14
- WordPress sites using the Smart Wishlist for MoreConvert component with Pro features
- Any site exposing the public guest waitlist verification flow
Discovery Timeline
- 2026-05-05 - CVE-2026-5722 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-5722
Vulnerability Analysis
The MoreConvert Pro plugin offers a guest waitlist feature that allows unauthenticated visitors to subscribe to product availability notifications. To confirm subscriptions, the plugin issues an email verification token tied to a guest customer record. When that record's email address is later modified through the public waitlist flow, the plugin does not invalidate or regenerate the previously issued verification token.
This state inconsistency allows the verification link to authenticate the session against whichever email currently sits on the guest record. An attacker can pivot the binding from their controlled address to a victim's address, including a site administrator, while reusing the original token. The result is full account takeover without credentials, user interaction, or prior privileges.
Root Cause
The root cause is missing token lifecycle enforcement during email mutation. Verification tokens should be cryptographically bound to the email address present at issuance time, or invalidated whenever the underlying identifier changes. The plugin treats token validity and email ownership as independent state, violating the core authentication invariant tracked by [CWE-287].
Attack Vector
Exploitation follows a deterministic sequence over the network with no authentication required:
- The attacker submits the public waitlist form using an attacker-controlled email and receives a valid verification link.
- The attacker submits the waitlist flow again, changing the guest customer record email to the target administrator address.
- The attacker clicks the original verification link, which the plugin honors against the now-modified record, authenticating the session as the administrator.
No verified public proof-of-concept code is available. Defenders should reference the Wordfence advisory for additional technical details.
Detection Methods for CVE-2026-5722
Indicators of Compromise
- Multiple guest waitlist submissions from the same source IP referencing different email addresses within a short window
- Successful WordPress administrator session establishment immediately following a GET request to a MoreConvert verification endpoint
- Unexpected administrator account activity, plugin installations, or theme edits originating from sessions tied to guest verification flows
- Guest customer records in the MoreConvert tables where the email field has been modified after a token was issued
Detection Strategies
- Inspect web server logs for repeated requests to the MoreConvert waitlist subscription and email update endpoints from the same IP, especially when followed by a verification callback.
- Correlate WordPress wp_login events with preceding requests to plugin verification URLs to identify sessions established without password authentication.
- Audit the WordPress user table and MoreConvert guest customer table for email values that match privileged user accounts.
Monitoring Recommendations
- Forward WordPress access logs and authentication events to a centralized SIEM and alert on administrator logins not preceded by wp-login.php POST activity.
- Track plugin version inventory across all WordPress instances and flag any deployment of MoreConvert Pro at or below 1.9.14.
- Monitor for newly created administrator users, role elevations, and unauthorized plugin or theme file modifications.
How to Mitigate CVE-2026-5722
Immediate Actions Required
- Update MoreConvert Pro to a version later than 1.9.14 once the vendor publishes a patched release. Confirm availability against the MoreConvert changelog.
- Disable or deactivate the MoreConvert Pro plugin on production WordPress sites until a fixed version is installed.
- Force a password reset and session invalidation for all administrator and editor accounts on sites that ran an affected version.
- Review WordPress audit logs for unauthorized administrator logins or configuration changes during the exposure window.
Patch Information
No specific fixed version is identified in the NVD record at the time of publication. Refer to the MoreConvert changelog and the Wordfence Threat Intelligence entry for the current patched release. Apply the update across all WordPress instances running the plugin.
Workarounds
- Deactivate the MoreConvert Pro plugin until a patched version is deployed.
- Restrict access to the public waitlist endpoints with a web application firewall rule that blocks repeated email-change submissions from the same client.
- Enforce two-factor authentication on all WordPress administrator accounts to limit the impact of session hijacking.
# Configuration example - disable plugin via WP-CLI until patched
wp plugin deactivate smart-wishlist-for-more-convert
wp plugin status smart-wishlist-for-more-convert
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
