Plataforma
wordpress
Componente
ecwid-shopping-cart
Corregido en
7.0.8
CVE-2026-1750 describes a Privilege Escalation vulnerability within the Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress. This flaw allows authenticated attackers, even those with minimal permissions like a subscriber, to elevate their privileges and gain store manager access. The vulnerability impacts versions from 0.0.0 through 7.0.7, and a fix is available in version 7.0.8.
The primary impact of CVE-2026-1750 is unauthorized privilege escalation. An attacker, initially with limited permissions, can manipulate the 'savecustomuserprofilefields' function by supplying the 'ecstoreadmin_access' parameter during a profile update. This bypasses intended security controls and grants them store manager access, effectively giving them control over critical aspects of the Ecwid store, including product management, order processing, and customer data. This could lead to data breaches, fraudulent transactions, and complete compromise of the e-commerce platform. The ease of exploitation, requiring only authenticated access with subscriber privileges, significantly expands the potential attack surface.
CVE-2026-1750 was publicly disclosed on 2026-02-15. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability has been added to the CISA KEV catalog, indicating a medium probability of exploitation. Monitor WordPress plugin updates and security advisories for further information.
Websites utilizing the Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress, particularly those with a large number of subscriber-level users or those who have not implemented robust user role management practices, are at significant risk. Shared hosting environments where multiple websites share the same server resources are also at increased risk, as a compromise on one site could potentially lead to lateral movement and exploitation of other sites using the vulnerable plugin.
• wordpress / composer / npm:
grep -r 'ec_store_admin_access' /var/www/html/wp-content/plugins/ecwid/includes/user-profile.php• wordpress / composer / npm:
wp plugin list | grep ecwid• wordpress / composer / npm:
wp plugin update ecwiddisclosure
Estado del Exploit
EPSS
0.04% (12% percentil)
CISA SSVC
Vector CVSS
The primary mitigation for CVE-2026-1750 is to immediately upgrade the Ecwid by Lightspeed Ecommerce Shopping Cart plugin to version 7.0.8 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider implementing stricter user role permissions within WordPress to limit the capabilities of subscriber accounts. While not a complete solution, this can reduce the potential impact. Review WordPress user roles and ensure the 'ecstoreadminaccess' parameter is not accessible to lower-privileged users. After upgrading, confirm the fix by attempting a profile update with a subscriber account and verifying that the 'ecstoreadminaccess' parameter is properly validated and rejected.
Actualizar a la versión 7.0.8, o una versión parcheada más reciente
Análisis de vulnerabilidades y alertas críticas directamente en tu correo.
CVE-2026-1750 is a HIGH severity vulnerability affecting the Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress. It allows attackers with subscriber permissions to gain store manager access due to a missing capability check.
You are affected if you are using Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress versions 0.0.0 through 7.0.7. Upgrade to 7.0.8 or later to mitigate the risk.
The recommended fix is to upgrade the Ecwid plugin to version 7.0.8 or later. If immediate upgrade is not possible, restrict user permissions to limit the potential impact.
There is currently no evidence of active exploitation in the wild, but the vulnerability has been added to the CISA KEV catalog, indicating a potential risk.
Refer to the official Ecwid security advisory for detailed information and updates: [https://www.ecwid.com/security/advisories](https://www.ecwid.com/security/advisories)
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.
Sube tu archivo de dependencias y detecta esta y otras CVEs al instante.