CVE-2026-5722
Published: 05 May 2026
Summary
CVE-2026-5722 is a critical-severity Improper Authentication (CWE-287) vulnerability in Moreconvert (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires proper management of verification tokens, including invalidation or regeneration upon events like email changes, preventing authentication bypass via token reuse.
Addresses the specific plugin flaw by requiring timely identification, reporting, and patching of vulnerabilities like CVE-2026-5722 as referenced in the changelog.
Limits and authorizes unauthenticated actions in the public guest waitlist flow, such as email changes, mitigating the manipulation step required for the attack.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authentication bypass in public-facing WordPress plugin allows unauthenticated attackers to authenticate as any valid user (incl. admins) via token/email manipulation, directly mapping to T1190 (Exploit Public-Facing Application) for initial access and T1078 (Valid Accounts) for account impersonation.
NVD Description
The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or regenerating verification tokens when the customer email address is…
more
changed. This makes it possible for unauthenticated attackers to authenticate as existing users, including administrators, by obtaining a valid guest verification token for an attacker-controlled email, changing the same guest customer email to the target account email through the public waitlist flow, and then using the original verification link.
Deeper analysisAI
CVE-2026-5722, published on 2026-05-05, is an authentication bypass vulnerability in the MoreConvert Pro plugin for WordPress, affecting all versions up to and including 1.9.14. The flaw arises in the guest waitlist verification flow, which does not invalidate or regenerate verification tokens when the customer email address is changed. This vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-287 (Improper Authentication).
Unauthenticated attackers can exploit this issue to authenticate as any existing WordPress user, including administrators. The attack sequence requires obtaining a valid guest verification token for an attacker-controlled email, then using the public waitlist flow to change that guest customer's email to the target account's email address, followed by using the original verification link to gain unauthorized access.
Mitigation details are referenced in the plugin changelog at https://moreconvert.com/changelog/, the WordPress plugin directory at https://wordpress.org/plugins/smart-wishlist-for-more-convert/, and Wordfence's threat intelligence page at https://www.wordfence.com/threat-intel/vulnerabilities/id/fe887475-f7e8-4fda-a793-bc6f37b70f3e?source=cve. Security practitioners should consult these sources for patch availability and remediation guidance.
Details
- CWE(s)