Skip to main content

Sunshine Photo Cart CVE-2026-42776

| EUVDEUVD-2026-31750 MEDIUM
Missing Authorization (CWE-862)
2026-05-25 Patchstack GHSA-42vq-h95x-4x26
6.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 11:54 vuln.today

DescriptionCVE.org

Missing Authorization vulnerability in WP Sunshine Sunshine Photo Cart allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Sunshine Photo Cart: from n/a through 3.6.7.

AnalysisAI

Broken access control in the Sunshine Photo Cart WordPress plugin (versions through 3.6.7) allows authenticated low-privilege users to perform actions beyond their intended authorization level. The root cause is a missing authorization check (CWE-862) that permits exploitation of incorrectly configured access control security levels, resulting in partial confidentiality, integrity, and availability impact. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS of 0.03% (10th percentile) and SSVC exploitation status of 'none' indicate low real-world threat at time of analysis.

Technical ContextAI

Sunshine Photo Cart is a WordPress e-commerce plugin developed by WP Sunshine, identified via CPE cpe:2.3:a:wp_sunshine:sunshine_photo_cart:*:*:*:*:*:*:*:*. The vulnerability is classified under CWE-862 (Missing Authorization), a root-cause class where code performs a sensitive operation without verifying that the calling user holds the necessary permission or role. In WordPress plugins, this commonly manifests as AJAX handlers, REST API endpoints, or admin-page callbacks that check nonces for CSRF protection but omit capability checks (e.g., current_user_can()), allowing any authenticated user - including subscribers or customers - to invoke privileged functionality. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:U) confirms the attack is network-reachable, low-complexity, and requires only low-level authentication with no user interaction.

RemediationAI

Update Sunshine Photo Cart to the version released after 3.6.7 that addresses this authorization defect; however, an exact patched version number is not confirmed in the available data - check the WordPress plugin repository or the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/sunshine-photo-cart/vulnerability/wordpress-sunshine-photo-cart-plugin-3-6-7-broken-access-control-vulnerability for the specific fixed release before upgrading. If an immediate update is not possible, restrict plugin access by disabling registration or limiting who can create authenticated accounts on the WordPress site, which reduces the pool of users who could trigger the missing authorization check. Alternatively, a Web Application Firewall rule targeting the specific vulnerable endpoint (identifiable from the Patchstack advisory) can block exploitation attempts without requiring a code change, though this may affect legitimate plugin functionality and requires testing. Site administrators should also audit user roles to ensure no untrusted users have active authenticated sessions.

Share

CVE-2026-42776 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy