Skip to main content

Sunshine Photo Cart

7 CVEs product

Monthly

CVE-2026-42776 MEDIUM This Month

Broken access control in the Sunshine Photo Cart WordPress plugin (versions through 3.6.7) allows authenticated low-privilege users to perform actions beyond their intended authorization level. The root cause is a missing authorization check (CWE-862) that permits exploitation of incorrectly configured access control security levels, resulting in partial confidentiality, integrity, and availability impact. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS of 0.03% (10th percentile) and SSVC exploitation status of 'none' indicate low real-world threat at time of analysis.

Authentication Bypass Sunshine Photo Cart
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-39564 MEDIUM This Month

Sunshine Photo Cart WordPress plugin versions prior to 3.6.2 expose sensitive information through insertion into sent data, allowing remote unauthenticated attackers to retrieve embedded sensitive data with low attack complexity. The EPSS score of 0.02% (5th percentile) indicates minimal real-world exploitation probability despite the moderate CVSS 5.3 rating, suggesting this is a low-priority information disclosure with limited practical impact.

Information Disclosure Sunshine Photo Cart
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-5482 HIGH PATCH This Week

The Sunshine Photo Cart plugin for WordPress (versions ≤3.4.11) contains an improper key validation vulnerability in its password reset functionality, allowing authenticated attackers with Subscriber-level privileges to perform privilege escalation by resetting arbitrary user passwords, including administrators. With a CVSS score of 8.8 and a low attack complexity (network-accessible, no user interaction required), this vulnerability poses a critical threat to WordPress installations using this plugin. The vulnerability is likely to be actively exploited given the straightforward attack path and the high-value target (admin account takeover).

WordPress Privilege Escalation PHP Sunshine Photo Cart
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2024-1294 MEDIUM PATCH This Month

The Sunshine Photo Cart: Free Client Galleries for Photographers plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.24 via the 'invoice'. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure WordPress Authentication Bypass Sunshine Photo Cart
NVD
CVSS 3.1
5.3
EPSS
0.5%
CVE-2023-41796 MEDIUM This Month

Authorization Bypass Through User-Controlled Key vulnerability in WP Sunshine Sunshine Photo Cart: Free Client Galleries for Photographers.0.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Sunshine Photo Cart
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2021-4415 MEDIUM PATCH This Month

The Sunshine Photo Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.8.28 This is due to missing or incorrect nonce validation on the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Sunshine Photo Cart
NVD VulDB
CVSS 3.1
4.3
EPSS
0.1%
CVE-2022-40692 MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in WP Sunshine Sunshine Photo Cart plugin <= 2.9.13 versions. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Sunshine Photo Cart
NVD
CVSS 3.1
5.4
EPSS
0.1%
EPSS 0% CVSS 6.3
MEDIUM This Month

Broken access control in the Sunshine Photo Cart WordPress plugin (versions through 3.6.7) allows authenticated low-privilege users to perform actions beyond their intended authorization level. The root cause is a missing authorization check (CWE-862) that permits exploitation of incorrectly configured access control security levels, resulting in partial confidentiality, integrity, and availability impact. No public exploit code exists and the vulnerability is not listed in CISA KEV; EPSS of 0.03% (10th percentile) and SSVC exploitation status of 'none' indicate low real-world threat at time of analysis.

Authentication Bypass Sunshine Photo Cart
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Sunshine Photo Cart WordPress plugin versions prior to 3.6.2 expose sensitive information through insertion into sent data, allowing remote unauthenticated attackers to retrieve embedded sensitive data with low attack complexity. The EPSS score of 0.02% (5th percentile) indicates minimal real-world exploitation probability despite the moderate CVSS 5.3 rating, suggesting this is a low-priority information disclosure with limited practical impact.

Information Disclosure Sunshine Photo Cart
NVD
EPSS 0% CVSS 8.8
HIGH PATCH This Week

The Sunshine Photo Cart plugin for WordPress (versions ≤3.4.11) contains an improper key validation vulnerability in its password reset functionality, allowing authenticated attackers with Subscriber-level privileges to perform privilege escalation by resetting arbitrary user passwords, including administrators. With a CVSS score of 8.8 and a low attack complexity (network-accessible, no user interaction required), this vulnerability poses a critical threat to WordPress installations using this plugin. The vulnerability is likely to be actively exploited given the straightforward attack path and the high-value target (admin account takeover).

WordPress Privilege Escalation PHP +1
NVD
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

The Sunshine Photo Cart: Free Client Galleries for Photographers plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.0.24 via the 'invoice'. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure WordPress Authentication Bypass +1
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization Bypass Through User-Controlled Key vulnerability in WP Sunshine Sunshine Photo Cart: Free Client Galleries for Photographers.0.0. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass Sunshine Photo Cart
NVD
EPSS 0% CVSS 4.3
MEDIUM PATCH This Month

The Sunshine Photo Cart plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 2.8.28 This is due to missing or incorrect nonce validation on the. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Cross-Site Request Forgery (CSRF) vulnerability could allow attackers to trick authenticated users into performing unintended actions.

WordPress CSRF Sunshine Photo Cart
NVD VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

Cross-Site Request Forgery (CSRF) vulnerability in WP Sunshine Sunshine Photo Cart plugin <= 2.9.13 versions. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Sunshine Photo Cart
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy