The MoreConvert Pro plugin for WordPress versions up to 1.9.14 contains an authentication bypass vulnerability. The flaw exists in the guest waitlist verification flow which fails to invalidate or regenerate verification tokens when customer email addresses are changed. This allows unauthenticated attackers to authenticate as existing users, including administrators, by obtaining a verification token for an attacker-controlled email, changing the guest customer email to a target account email through the public waitlist flow, and then using the original verification link to gain unauthorized access.