Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
1DescriptionCVE.org
Missing Authorization vulnerability in WP Sunshine Sunshine Photo Cart allows Exploiting Incorrectly Configured Access Control Security Levels.
This issue affects Sunshine Photo Cart: from n/a through 3.6.7.
AnalysisAI
Broken access control in the Sunshine Photo Cart WordPress plugin (versions through 3.6.7) allows authenticated low-privilege users to perform actions beyond their intended authorization level. The root cause is a missing authorization check (CWE-862) that permits exploitation of incorrectly configured access control security levels, resulting in partial confidentiality, integrity, and availability impact. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS of 0.03% (10th percentile) and SSVC exploitation status of 'none' indicate low real-world threat at time of analysis.
Technical ContextAI
Sunshine Photo Cart is a WordPress e-commerce plugin developed by WP Sunshine, identified via CPE cpe:2.3:a:wp_sunshine:sunshine_photo_cart:*:*:*:*:*:*:*:*. The vulnerability is classified under CWE-862 (Missing Authorization), a root-cause class where code performs a sensitive operation without verifying that the calling user holds the necessary permission or role. In WordPress plugins, this commonly manifests as AJAX handlers, REST API endpoints, or admin-page callbacks that check nonces for CSRF protection but omit capability checks (e.g., current_user_can()), allowing any authenticated user - including subscribers or customers - to invoke privileged functionality. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U) confirms the attack is network-reachable, low-complexity, and requires only low-level authentication with no user interaction.
RemediationAI
Update Sunshine Photo Cart to the version released after 3.6.7 that addresses this authorization defect; however, an exact patched version number is not confirmed in the available data - check the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/sunshine-photo-cart/vulnerability/wordpress-sunshine-photo-cart-plugin-3-6-7-broken-access-control-vulnerability for the specific fixed release before upgrading. If an immediate update is not possible, restrict plugin access by disabling registration or limiting who can create authenticated accounts on the WordPress site, which reduces the pool of users who could trigger the missing authorization check. Alternatively, a Web Application Firewall rule targeting the specific vulnerable endpoint (identifiable from the Patchstack advisory) can block exploitation attempts without requiring a code change, though this may affect legitimate plugin functionality and requires testing. Site administrators should also audit user roles to ensure no untrusted users have active authenticated sessions.
More in Sunshine Photo Cart
View allThe Sunshine Photo Cart plugin for WordPress (versions ≤3.4.11) contains an improper key validation vulnerability in its
Cross-Site Request Forgery (CSRF) vulnerability in WP Sunshine Sunshine Photo Cart plugin <= 2.9.13 versions. Rated medi
The Sunshine Photo Cart: Free Client Galleries for Photographers plugin for WordPress is vulnerable to Sensitive Informa
Authorization Bypass Through User-Controlled Key vulnerability in WP Sunshine Sunshine Photo Cart: Free Client Galleries
Sunshine Photo Cart WordPress plugin versions prior to 3.6.2 expose sensitive information through insertion into sent da
The Sunshine Photo Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and includin
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31750
GHSA-42vq-h95x-4x26