This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Authentication Bypass in MoreConvert Pro. π **Consequences**: Attackers can hijack any account (even Admins) by manipulating email verification tokens. Total loss of integrity and confidentiality.
Q2Root Cause? (CWE/Flaw)
π‘οΈ **CWE-287**: Improper Authentication. π **Flaw**: When a guest changes their email, the system fails to revoke or regenerate the validation token. The old token remains valid for the new email.
Q3Who is affected? (Versions/Components)
π¦ **Vendor**: MoreConvert. π¦ **Product**: MoreConvert Pro (WordPress Plugin). π **Affected**: All versions <= 1.9.14. π **Published**: 2026-05-05.
Q4What can hackers do? (Privileges/Data)
π **Privileges**: Full Admin Access. πΎ **Data**: Complete control over user accounts. π **Method**: Hackers use a guest token -> change email to target -> complete login. No password needed!
Q5Is exploitation threshold high? (Auth/Config)
π **Threshold**: LOW. π« **Auth**: None required (Public). βοΈ **Config**: No special setup needed. π **Vector**: Network (AV:N), Low Complexity (AC:L). Anyone can exploit this remotely.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π« **Public Exp**: No specific PoC code provided in data. β οΈ **Risk**: High. The logic is simple enough that wild exploitation is likely imminent given the CVSS 9.8 score.
Q7How to self-check? (Features/Scanning)
π **Check**: Scan for MoreConvert Pro plugin. π **Version**: Verify if version <= 1.9.14. π‘οΈ **Monitor**: Look for unexpected admin logins via email verification flows.
Q8Is it fixed officially? (Patch/Mitigation)
π οΈ **Fix**: Update to version > 1.9.14. π **Source**: Check vendor changelog or WordPress plugin repo. π **Action**: Immediate upgrade is the only official mitigation.
Q9What if no patch? (Workaround)
π§ **Workaround**: If unpatched, disable the 'Guest Waitlist' feature if possible. π **Mitigation**: Monitor email change logs closely. π **Contact**: Reach out to vendor for interim fixes if update isn't immediate.
Q10Is it urgent? (Priority Suggestion)
π₯ **Urgency**: CRITICAL. π **CVSS**: 9.8 (High). β‘ **Priority**: Patch IMMEDIATELY. This is a remote, unauthenticated bypass with full admin impact. Do not wait.