Skip to main content

SureCart CVE-2026-7655

| EUVDEUVD-2026-43148 HIGH
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
2026-07-11 Wordfence GHSA-6p8m-qjvm-q2jf
8.1
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
8.1 HIGH
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.1 HIGH

Remote and unauthenticated (AV:N/PR:N) but requires knowing the victim's customer ID and a linked account, so AC:H; successful admin takeover yields full C:H/I:H/A:H.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 11, 2026 - 06:21 vuln.today
CVE Published
Jul 11, 2026 - 04:32 cve.org
HIGH 8.1

DescriptionCVE.org

The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to, and including, 4.2.3. This is due to the plugin not properly validating a user's identity prior to updating their details like email during customer profile synchronization from webhook events. This makes it possible for unauthenticated attackers to change linked user's email addresses, including administrators if the administrator account is linked to a SureCart customer record, and leverage that to reset the user's password and gain access to their account if the customer ID is known.

AnalysisAI

Account takeover in the SureCart e-commerce plugin for WordPress (versions ≤ 4.2.3) lets unauthenticated attackers overwrite the email address of any WordPress user linked to a SureCart customer record during webhook-driven customer profile synchronization. Because the plugin does not verify the requester's identity before applying the update, an attacker who knows a victim's customer ID - including that of an administrator - can change the account email, trigger a password reset, and seize the account. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain target's SureCart customer ID
Delivery
Send crafted webhook sync event
Exploit
Overwrite linked user email to attacker address
Execution
Trigger WordPress password reset
Impact
Log in as administrator

Vulnerability AssessmentAI

Exploitation Exploitation requires that (1) the target WordPress user is linked to a SureCart customer record - administrators are only at risk if their account is linked - and (2) the attacker knows or can guess that user's SureCart customer ID, which is the specific value consumed by the webhook customer-profile-synchronization handler. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, 8.1 High) captures the essentials: fully remote and unauthenticated (PR:N), no user interaction, and total compromise of a targeted account (C:H/I:H/A:H) once achieved. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker learns or enumerates the SureCart customer ID tied to a site administrator, then sends a crafted webhook event to the plugin's sync endpoint changing that customer's linked email to an attacker-controlled address. With the admin's email now theirs, the attacker requests a WordPress password reset, receives the reset link, and logs in with full administrator privileges. …
Remediation Upstream fix available (WordPress plugin trac changeset 3532438); a released patched version is not independently confirmed from the input, though it is expected to be the first release above 4.2.3 (likely 4.2.4) - verify the exact patched version on the plugin's WordPress.org changelog before relying on it. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all WordPress installations for SureCart plugin usage (versions ≤ 4.2.3) and identify any customer records with administrator account access. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-7655 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy