A critical vulnerability in Convert Plus, a commercial plugin for WordPress websites estimated to have 100,000 active installations, allows an unauthenticated attacker to create accounts with administrator privileges.
The problem stems from lack of filtering when processing a new user subscription via a form supplied by the plugin.
Hidden admin value
Convert Plus, formerly Convert Plug, was created to make websites more engaging and for calling visitors to action. The intended effect is to increase the user base and sales conversions, and it is achieved through various call-to-action elements on the page.