Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
Missing Authorization vulnerability in SureCart SureCart surecart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SureCart: from n/a through <= 4.0.2.
AnalysisAI
Missing authorization controls in SureCart WordPress plugin versions up to 4.0.2 allow authenticated attackers to access or modify restricted data due to incorrectly configured access control security levels. With CVSS 6.3 (authenticated attack, low complexity, confidentiality/integrity/availability impact) and EPSS 0.02% exploitation probability, this represents a moderate-severity flaw affecting plugin deployments where user role separation is security-critical; no public exploit code or active exploitation has been confirmed.
Technical ContextAI
SureCart is a WordPress e-commerce plugin (CPE cpe:2.3:a:surecart:surecart:*:*:*:*:*:*:*:*) that manages commerce functionality including payments, subscriptions, and customer data. The vulnerability stems from CWE-862 (Missing Authorization), indicating the plugin fails to enforce proper role-based access control (RBAC) checks on sensitive operations or data endpoints. WordPress plugins typically enforce authorization via WordPress nonces, capability checks (current_user_can()), and role restrictions; this flaw suggests those controls are either missing or misconfigured, allowing authenticated users (PR:L in CVSS) with lower privilege levels to access functionality intended only for administrators or higher roles.
RemediationAI
Update SureCart to a version greater than 4.0.2 as soon as available from the plugin author. The vendor advisory and NVD record (https://nvd.nist.gov/vuln/detail/CVE-2026-39488) should be monitored for patched version availability. In the interim, website administrators should audit user role assignments and restrict access to SureCart administrative functions to trusted administrators only; consider temporarily disabling SureCart features if they handle sensitive commerce data until a patch is confirmed. Review WordPress user roles and capabilities via the dashboard Settings → Users panel to ensure appropriate privilege separation.
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in SureCart al
Auth. Rated medium severity (CVSS 4.8), this vulnerability is remotely exploitable, low attack complexity. No vendor pat
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-20158
GHSA-rjwp-r8m2-v94w