Cyber Posture

CVE-2026-5722

Critical

Published: 05 May 2026

Published
05 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0020 41.7th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or regenerating verification tokens when the customer email address is…

more

changed. This makes it possible for unauthenticated attackers to authenticate as existing users, including administrators, by obtaining a valid guest verification token for an attacker-controlled email, changing the same guest customer email to the target account email through the public waitlist flow, and then using the original verification link.

Mitigating Controls (NIST 800-53 r5)AI

IA-5 Authenticator Management good match
prevent

Directly requires proper management of verification tokens, including invalidation or regeneration upon events like email changes, preventing authentication bypass via token reuse.

SI-2 Flaw Remediation good match
prevent

Addresses the specific plugin flaw by requiring timely identification, reporting, and patching of vulnerabilities like CVE-2026-5722 as referenced in the changelog.

AC-14 Permitted Actions Without Identification or Authentication partial match
prevent

Limits and authorizes unauthenticated actions in the public guest waitlist flow, such as email changes, mitigating the manipulation step required for the attack.

Security SummaryAI

CVE-2026-5722, published on 2026-05-05, is an authentication bypass vulnerability in the MoreConvert Pro plugin for WordPress, affecting all versions up to and including 1.9.14. The flaw arises in the guest waitlist verification flow, which does not invalidate or regenerate verification tokens when the customer email address is changed. This vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-287 (Improper Authentication).

Unauthenticated attackers can exploit this issue to authenticate as any existing WordPress user, including administrators. The attack sequence requires obtaining a valid guest verification token for an attacker-controlled email, then using the public waitlist flow to change that guest customer's email to the target account's email address, followed by using the original verification link to gain unauthorized access.

Mitigation details are referenced in the plugin changelog at https://moreconvert.com/changelog/, the WordPress plugin directory at https://wordpress.org/plugins/smart-wishlist-for-more-convert/, and Wordfence's threat intelligence page at https://www.wordfence.com/threat-intel/vulnerabilities/id/fe887475-f7e8-4fda-a793-bc6f37b70f3e?source=cve. Security practitioners should consult these sources for patch availability and remediation guidance.

Details

CWE(s)
CWE-287

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
attack.mitre.org →
Why these techniques?

Authentication bypass in public-facing WordPress plugin allows unauthenticated attackers to authenticate as any valid user (incl. admins) via token/email manipulation, directly mapping to T1190 (Exploit Public-Facing Application) for initial access and T1078 (Valid Accounts) for account impersonation.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References