A critical authentication bypass in the MoreConvert Pro plugin allows unauthenticated attackers to hijack existing user accounts, including those with administrative privileges.

The vulnerability exists in the guest waitlist verification process, which fails to invalidate tokens when an email address is updated. An attacker can associate their own email with a target account's verification token, effectively gaining unauthorized access to the victim's session.

Successful exploitation results in full account takeover. If an administrator's account is targeted, the attacker gains complete control over the WordPress instance, leading to data breaches, site defacement, and potential compromise of the entire web server. The CVSS score of 9.8 reflects the extreme risk posed by this privilege escalation flaw.

Immediate Action: Update the MoreConvert Pro plugin to the latest version to ensure proper token invalidation during email changes.

Proactive Monitoring: Review user account modification logs for suspicious activity and monitor for unexpected changes to administrative user emails.

Compensating Controls: Implement multi-factor authentication (MFA) for all administrative accounts to prevent unauthorized access even if the session is hijacked.

Public Exploit Available: No

Account takeover vulnerabilities are critical risks. Security teams must prioritize updating the affected plugin and should also perform a forensic review of account changes to identify any potential past unauthorized access attempts.