Severity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Remote and unauthenticated (AV:N/PR:N) but requires knowing the victim's customer ID and a linked account, so AC:H; successful admin takeover yields full C:H/I:H/A:H.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to, and including, 4.2.3. This is due to the plugin not properly validating a user's identity prior to updating their details like email during customer profile synchronization from webhook events. This makes it possible for unauthenticated attackers to change linked user's email addresses, including administrators if the administrator account is linked to a SureCart customer record, and leverage that to reset the user's password and gain access to their account if the customer ID is known.
Articles & Coverage 1
AnalysisAI
Account takeover in the SureCart e-commerce plugin for WordPress (versions ≤ 4.2.3) lets unauthenticated attackers overwrite the email address of any WordPress user linked to a SureCart customer record during webhook-driven customer profile synchronization. Because the plugin does not verify the requester's identity before applying the update, an attacker who knows a victim's customer ID - including that of an administrator - can change the account email, trigger a password reset, and seize the account. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that (1) the target WordPress user is linked to a SureCart customer record - administrators are only at risk if their account is linked - and (2) the attacker knows or can guess that user's SureCart customer ID, which is the specific value consumed by the webhook customer-profile-synchronization handler. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H, 8.1 High) captures the essentials: fully remote and unauthenticated (PR:N), no user interaction, and total compromise of a targeted account (C:H/I:H/A:H) once achieved. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker learns or enumerates the SureCart customer ID tied to a site administrator, then sends a crafted webhook event to the plugin's sync endpoint changing that customer's linked email to an attacker-controlled address. With the admin's email now theirs, the attacker requests a WordPress password reset, receives the reset link, and logs in with full administrator privileges. … |
| Remediation | Upstream fix available (WordPress plugin trac changeset 3532438); a released patched version is not independently confirmed from the input, though it is expected to be the first release above 4.2.3 (likely 4.2.4) - verify the exact patched version on the plugin's WordPress.org changelog before relying on it. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all WordPress installations for SureCart plugin usage (versions ≤ 4.2.3) and identify any customer records with administrator account access. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43148
GHSA-6p8m-qjvm-q2jf