Introduction
A critical authentication bypass in the MoreConvert Pro plugin for WordPress allows unauthenticated attackers to log in as any existing user, including site administrators, by exploiting a token reuse flaw in the guest waitlist verification flow. With a CVSS score of 9.8 and no authentication required, this vulnerability poses a direct risk to WooCommerce stores relying on the plugin for marketing and conversion features.
MoreConvert Pro is a WooCommerce marketing plugin developed by the Moreconvert Team, offering features like back in stock notifications, wishlists, and advanced analytics. The free version of the plugin has over 9,000 active installations on the WordPress Plugin Repository, and the premium Pro version extends this with additional functionality including the waitlist flow where this vulnerability resides. The plugin participates in the Patchstack Vulnerability Disclosure Program for security bug triage.
Technical Information
The vulnerability is classified under CWE-287 (Improper Authentication) and resides in the guest waitlist verification flow of the MoreConvert Pro plugin.
Root Cause
When a guest user signs up for a product waitlist, the plugin generates a verification token tied to the guest's email address. The fundamental issue is that when the customer email address associated with a guest record is changed through the public waitlist flow, the plugin does not invalidate or regenerate the previously issued verification token. The old token remains valid and becomes implicitly bound to the new email address.
Attack Flow
The exploitation sequence is straightforward and requires no prior authentication:
- Obtain a valid token: The attacker registers as a guest on the waitlist using an email address they control. The plugin issues a verification token for this email.
- Swap the email: The attacker uses the publicly accessible waitlist flow to change the guest customer email from their own address to the email address of a target account (for example, a site administrator).
- Reuse the original token: The attacker navigates to the original verification link, which still contains the token issued in step 1.
- Authenticate as the target: Because the token was never invalidated when the email was changed, the system treats the verification as legitimate and authenticates the attacker as the target user.
The only prerequisite is knowledge of the target account's email address. In WooCommerce environments, administrator email addresses are frequently discoverable through author archives, public contact pages, or other common information disclosure vectors.
A successful exploit grants the attacker full access to the target account. When the target is an administrator, this means complete control over the WordPress installation, including the ability to modify site content, install plugins, access customer data, and manipulate WooCommerce orders and payment configurations.
Severity Context
The CVSS 9.8 score reflects the combination of factors that make this vulnerability particularly dangerous: network accessibility, low attack complexity, no privileges required, no user interaction needed, and the potential for complete compromise of confidentiality, integrity, and availability.
Affected Systems and Versions
The vulnerability affects the MoreConvert Pro plugin for WordPress in all versions up to and including 1.9.14.
Wordfence recommends updating to version 1.9.15 or later as the remediation baseline. Note that the vendor's own changelog references 1.9.14 as a fixed version, but this conflicts with the Wordfence advisory, which explicitly states that 1.9.14 is vulnerable. Administrators should rely on the Wordfence guidance and ensure they are running 1.9.15 or newer.
| Source | Stated Fixed Version | Guidance |
|---|---|---|
| Wordfence Vulnerability Database | 1.9.15 | Use as the authoritative remediation baseline |
| WordPress Plugin Repository | 1.9.15 | Confirms the fix is included in the 1.9.15 release cycle |
| MoreConvert Vendor Changelog | 1.9.14 | Conflicts with Wordfence; do not rely on this as the patched version |
The free version of the plugin (MoreConvert Wishlist for WooCommerce) is listed separately on the WordPress Plugin Repository, but the vulnerable waitlist verification flow is specific to the premium Pro version.
Vendor Security History
The Moreconvert Team utilizes the Patchstack Vulnerability Disclosure Program to handle and triage security bugs, which indicates a structured approach to vulnerability management. No prior CVEs for this vendor were referenced in the available source materials.
