Imagine a stranger walking up to the front desk of your business, swapping their name badge with your CEO's, and being handed full access to every locked room in the building — that's essentially what a newly disclosed vulnerability in a widely used WordPress plugin allows attackers to do, completely remotely and without a password.
Who's at Risk — and How Bad Is It?
The vulnerability lives inside MoreConvert Pro, a premium WordPress plugin used by thousands of e-commerce and lead-generation websites to manage product waitlists and email capture flows. If your site runs WooCommerce and you've ever used a "notify me when back in stock" feature powered by MoreConvert Pro, your site may be exposed. Every version up to and including 1.9.14 is affected.
WordPress powers roughly 43% of all websites on the internet. Premium plugins like MoreConvert Pro are especially common on small-to-medium online stores — the exact businesses that often lack dedicated security teams to catch and patch vulnerabilities quickly. For those site owners, the real-world impact is severe: a successful attack means a stranger could gain full administrative control of their website, access customer data, plant malware, redirect traffic to scam pages, or silently exfiltrate payment information.
The Trick Is Embarrassingly Simple
Here's the attack in plain English. When a visitor joins a product waitlist as a guest on an affected site, the plugin sends them a verification token — essentially a one-time secret code — to confirm their email address. That's normal and expected. The problem is what happens next: the plugin lets the guest change their email address after that token has already been issued, without canceling the old token or issuing a new one.
An attacker exploits this gap in three steps. First, they sign up for the waitlist using their own email address and collect the verification token the site sends them. Second — and this is the key move — they use the plugin's own public-facing waitlist form to swap their email address for the email address of someone who already has an account on the site, including an administrator. Third, they use that original token (which is still valid, because the plugin never invalidated it) to authenticate as the account now associated with that email. The plugin essentially waves them through, handing them a fully authenticated session as the victim.
No password needed. No phishing. No brute-forcing. Just a free account, a working email address, and knowledge of a target's email — something often easily found on a site's contact page or in an old data breach dump.
The Technical Detail That Makes This So Serious
Security researchers classify this as a token reuse after credential mutation vulnerability — a failure in the authentication state machine where a verification token is not invalidated or regenerated following a change to the identity it was issued to verify. The flaw sits entirely within the guest waitlist verification flow, a feature accessible to completely unauthenticated users, meaning there is no barrier whatsoever to attempting an attack. It carries a CVSS score of 9.8 out of 10 (CRITICAL), the near-maximum rating reserved for remotely exploitable, low-complexity vulnerabilities requiring no privileges or user interaction.
Has Anyone Been Hit Yet?
As of publication, no active exploitation has been confirmed in the wild, and no known victim campaigns have been publicly attributed to this flaw. However, the security community's experience with similarly rated WordPress plugin vulnerabilities is consistent and sobering: once a CVE of this severity is published, automated scanning tools operated by opportunistic attackers typically begin probing for vulnerable installations within hours to days. The window between disclosure and mass exploitation is shrinking industry-wide.
The vulnerability was assigned CVE-2026-5722 and is categorized under authentication bypass and privilege escalation. Security teams and threat intelligence platforms will be watching closely for indicators of exploitation in the coming weeks.
What You Need to Do Right Now
If you run a WordPress site with MoreConvert Pro installed, treat this as urgent. Here are three specific steps:
- Update immediately to a patched version. Log into your WordPress dashboard, navigate to Plugins → Installed Plugins, and check your MoreConvert Pro version. You should be running a version higher than 1.9.14. If an update is available, install it now. If no patched version has been released yet by the time you read this, consider temporarily deactivating the plugin until one is available — a broken waitlist feature is far less damaging than a compromised admin account.
- Audit your administrator accounts immediately. Go to Users → All Users in your WordPress dashboard and filter by the Administrator role. Look for any accounts you don't recognize, any with recently changed email addresses, or any with unusual last-login timestamps. Remove or demote any suspicious accounts, and force a password reset for all admins via a trusted identity management process.
- Enable login anomaly alerting and consider a Web Application Firewall (WAF). Plugins like Wordfence (free tier available) or cloud-based WAF services like Cloudflare's WAF can detect and block unusual authentication patterns consistent with this type of token abuse. At minimum, enable email notifications for new administrator account creation so you're alerted the moment something changes.
Bottom line: A 9.8 CVSS score on a zero-barrier authentication bypass in a plugin installed on thousands of sites is about as loud an alarm bell as the security world rings. Don't wait for your hosting provider to catch this one. Patch it yourself, today.