Skip to main content

Surecart Ecommerce Made Easy For Selling Physical Products Digital Downloads Subscriptions Donations Payments

1 CVEs product

Monthly

CVE-2026-7655 HIGH This Week

Account takeover in the SureCart e-commerce plugin for WordPress (versions ≤ 4.2.3) lets unauthenticated attackers overwrite the email address of any WordPress user linked to a SureCart customer record during webhook-driven customer profile synchronization. Because the plugin does not verify the requester's identity before applying the update, an attacker who knows a victim's customer ID - including that of an administrator - can change the account email, trigger a password reset, and seize the account. No public exploit is identified at time of analysis, but the flaw was reported by Wordfence and carries a CVSS of 8.1.

WordPress Privilege Escalation Surecart Ecommerce Made Easy For Selling Physical Products Digital Downloads Subscriptions Donations Payments
NVD
CVSS 3.1
8.1
EPSS
0.2%
EPSS 0% CVSS 8.1
HIGH This Week

Account takeover in the SureCart e-commerce plugin for WordPress (versions ≤ 4.2.3) lets unauthenticated attackers overwrite the email address of any WordPress user linked to a SureCart customer record during webhook-driven customer profile synchronization. Because the plugin does not verify the requester's identity before applying the update, an attacker who knows a victim's customer ID - including that of an administrator - can change the account email, trigger a password reset, and seize the account. No public exploit is identified at time of analysis, but the flaw was reported by Wordfence and carries a CVSS of 8.1.

WordPress Privilege Escalation Surecart Ecommerce Made Easy For Selling Physical Products Digital Downloads Subscriptions Donations Payments
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy