Cyber Resilience

CVE-2026-5722

Critical

Published: 05 May 2026

Published
05 May 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0046 36.5th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-5722 is a critical-severity Improper Authentication (CWE-287) vulnerability in Moreconvert (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 IA-5 (Authenticator Management) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-5722, published on 2026-05-05, is an authentication bypass vulnerability in the MoreConvert Pro plugin for WordPress, affecting all versions up to and including 1.9.14. The flaw arises in the guest waitlist verification flow, which does not invalidate or regenerate verification tokens when the customer email address is changed. This vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-287 (Improper Authentication).

Unauthenticated attackers can exploit this issue to authenticate as any existing WordPress user, including administrators. The attack sequence requires obtaining a valid guest verification token for an attacker-controlled email, then using the public waitlist flow to change that guest customer's email to the target account's email address, followed by using the original verification link to gain unauthorized access.

Mitigation details are referenced in the plugin changelog at https://moreconvert.com/changelog/, the WordPress plugin directory at https://wordpress.org/plugins/smart-wishlist-for-more-convert/, and Wordfence's threat intelligence page at https://www.wordfence.com/threat-intel/vulnerabilities/id/fe887475-f7e8-4fda-a793-bc6f37b70f3e?source=cve. Security practitioners should consult these sources for patch availability and remediation guidance.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or regenerating verification tokens when the customer email address is…

more

changed. This makes it possible for unauthenticated attackers to authenticate as existing users, including administrators, by obtaining a valid guest verification token for an attacker-controlled email, changing the same guest customer email to the target account email through the public waitlist flow, and then using the original verification link.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1078 Valid Accounts Stealth
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Authentication bypass in public-facing WordPress plugin allows unauthenticated attackers to authenticate as any valid user (incl. admins) via token/email manipulation, directly mapping to T1190 (Exploit Public-Facing Application) for initial access and T1078 (Valid Accounts) for account impersonation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-12919Shared CWE-287
CVE-2026-3655Shared CWE-287
CVE-2026-0953Shared CWE-287
CVE-2026-30949Shared CWE-287
CVE-2026-23906Shared CWE-287
CVE-2025-67822Shared CWE-287
CVE-2025-1475Shared CWE-287
CVE-2025-22146Shared CWE-287
CVE-2026-5229Shared CWE-287
CVE-2026-28514Shared CWE-287

Affected Assets

Moreconvert
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires proper management of verification tokens, including invalidation or regeneration upon events like email changes, preventing authentication bypass via token reuse.

prevent

Addresses the specific plugin flaw by requiring timely identification, reporting, and patching of vulnerabilities like CVE-2026-5722 as referenced in the changelog.

prevent

Limits and authorizes unauthenticated actions in the public guest waitlist flow, such as email changes, mitigating the manipulation step required for the attack.

References