CVE-2026-5722

Name of the Vulnerable Software and Affected Versions MoreConvert Pro versions prior to 1.9.15

Description The MoreConvert Pro plugin for WordPress contains an authentication bypass flaw. The issue exists because the guest waitlist verification flow fails to invalidate or regenerate verification tokens when a customer email address is modified. An unauthenticated attacker can exploit this by obtaining a valid guest verification token for an email they control, changing that email to a target account email via the public waitlist flow, and then utilizing the original verification link to authenticate as the target user, including administrators.

Recommendations Update to a version later than 1.9.14.