Skip to main content

Surecart CVE-2026-39488

| EUVDEUVD-2026-20158 MEDIUM
Missing Authorization (CWE-862)
2026-04-08 Patchstack GHSA-rjwp-r8m2-v94w
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

5
CVSS changed
Apr 29, 2026 - 10:22 NVD
6.3 (MEDIUM) 6.5 (MEDIUM)
Analysis Generated
Apr 15, 2026 - 12:40 vuln.today
CVSS changed
Apr 13, 2026 - 19:37 NVD
6.3 (MEDIUM)
EUVD ID Assigned
Apr 08, 2026 - 08:45 euvd
EUVD-2026-20158
CVE Published
Apr 08, 2026 - 08:30 nvd
N/A

DescriptionCVE.org

Missing Authorization vulnerability in SureCart SureCart surecart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SureCart: from n/a through <= 4.0.2.

AnalysisAI

Missing authorization controls in SureCart WordPress plugin versions up to 4.0.2 allow authenticated attackers to access or modify restricted data due to incorrectly configured access control security levels. With CVSS 6.3 (authenticated attack, low complexity, confidentiality/integrity/availability impact) and EPSS 0.02% exploitation probability, this represents a moderate-severity flaw affecting plugin deployments where user role separation is security-critical; no public exploit code or active exploitation has been confirmed.

Technical ContextAI

SureCart is a WordPress e-commerce plugin (CPE cpe:2.3:a:surecart:surecart:*:*:*:*:*:*:*:*) that manages commerce functionality including payments, subscriptions, and customer data. The vulnerability stems from CWE-862 (Missing Authorization), indicating the plugin fails to enforce proper role-based access control (RBAC) checks on sensitive operations or data endpoints. WordPress plugins typically enforce authorization via WordPress nonces, capability checks (current_user_can()), and role restrictions; this flaw suggests those controls are either missing or misconfigured, allowing authenticated users (PR:L in CVSS) with lower privilege levels to access functionality intended only for administrators or higher roles.

RemediationAI

Update SureCart to a version greater than 4.0.2 as soon as available from the plugin author. The vendor advisory and NVD record (https://nvd.nist.gov/vuln/detail/CVE-2026-39488) should be monitored for patched version availability. In the interim, website administrators should audit user role assignments and restrict access to SureCart administrative functions to trusted administrators only; consider temporarily disabling SureCart features if they handle sensitive commerce data until a patch is confirmed. Review WordPress user roles and capabilities via the dashboard Settings → Users panel to ensure appropriate privilege separation.

Share

CVE-2026-39488 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy