Platform
wordpress
Component
ecwid-shopping-cart
Fixed in
7.0.8
CVE-2026-1750 describes a Privilege Escalation vulnerability within the Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress. This flaw allows authenticated attackers, even those with minimal permissions like a subscriber, to elevate their privileges and gain store manager access. The vulnerability impacts versions from 0.0.0 through 7.0.7, and a fix is available in version 7.0.8.
The primary impact of CVE-2026-1750 is unauthorized privilege escalation. An attacker, initially with limited permissions, can manipulate the 'savecustomuserprofilefields' function by supplying the 'ecstoreadmin_access' parameter during a profile update. This bypasses intended security controls and grants them store manager access, effectively giving them control over critical aspects of the Ecwid store, including product management, order processing, and customer data. This could lead to data breaches, fraudulent transactions, and complete compromise of the e-commerce platform. The ease of exploitation, requiring only authenticated access with subscriber privileges, significantly expands the potential attack surface.
CVE-2026-1750 was publicly disclosed on 2026-02-15. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability has been added to the CISA KEV catalog, indicating a medium probability of exploitation. Monitor WordPress plugin updates and security advisories for further information.
Exploit Status
EPSS
0.04% (12% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-1750 is to immediately upgrade the Ecwid by Lightspeed Ecommerce Shopping Cart plugin to version 7.0.8 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter user role permissions within WordPress to limit the capabilities of subscriber accounts. While not a complete solution, this can reduce the potential impact. Review WordPress user roles and ensure the 'ecstoreadminaccess' parameter is not accessible to lower-privileged users. After upgrading, confirm the fix by attempting a profile update with a subscriber account and verifying that the 'ecstoreadminaccess' parameter is properly validated and rejected.
Update to version 7.0.8, or a newer patched version
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-1750 is a HIGH severity vulnerability affecting the Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress. It allows attackers with subscriber permissions to gain store manager access due to a missing capability check.
You are affected if you are using Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress versions 0.0.0 through 7.0.7. Upgrade to 7.0.8 or later to mitigate the risk.
The recommended fix is to upgrade the Ecwid plugin to version 7.0.8 or later. If immediate upgrade is not possible, restrict user permissions to limit the potential impact.
There is currently no evidence of active exploitation in the wild, but the vulnerability has been added to the CISA KEV catalog, indicating a potential risk.
Refer to the official Ecwid security advisory for detailed information and updates: [https://www.ecwid.com/security/advisories](https://www.ecwid.com/security/advisories)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.