Ecwid by Lightspeed Ecommerce Shopping Cart

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Description

The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7. This is due to a missing capability check in the 'save_custom_user_profile_fields' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to supply the 'ec_store_admin_access' parameter during a profile update and gain store manager access to the site.

AI Analysis

Privilege Escalation vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress due to missing capability check

Basic Information

ID CVE-2026-1750

Source Wordfence

Published Feb 15, 2026 at 03:24

Affected Product

Vendor ecwid

Product Ecwid by Lightspeed Ecommerce Shopping Cart

Version *

Affected Versions ecwid Ecwid by Lightspeed Ecommerce Shopping Cart *

CWE Classification

CWE-269

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Lightspeed

Product Ecwid Ecommerce Shopping Cart

Version 7.0.7

References

{
    "lastseen": "",
    "description": "The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7. This is due to a missing capability check in the 'save_custom_user_profile_fields' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to supply the 'ec_store_admin_access' parameter during a profile update and gain store manager access to the site.",
    "published": "2026-02-15T03:24:33.787Z",
    "modified": "2026-02-15T03:24:33.787Z",
    "type": "cve",
    "title": "Ecwid by Lightspeed Ecommerce Shopping Cart <= 7.0.7 - Authenticated (Subscriber+) Privilege Escalation via ec_store_admin_access",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/2d29f77c-b86d-4058-b528-27631e8a1f2e?source=cve\nhttps://plugins.trac.wordpress.org/browser/ecwid-shopping-cart/tags/7.0.7/includes/class-ec-store-admin-access.php#L28\nhttps://plugins.trac.wordpress.org/changeset/3460721/ecwid-shopping-cart#file2",
    "id": "CVE-2026-1750",
    "bulletinFamily": "",
    "cwe": [
        "CWE-269"
    ],
    "cvelist": null,
    "sourceData": "ecwid Ecwid by Lightspeed Ecommerce Shopping Cart *",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Ecwid by Lightspeed Ecommerce Shopping Cart",
    "version": "*",
    "vendor": "ecwid",
    "ai_description": "Privilege Escalation vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress due to missing capability check",
    "ai_severity": "High",
    "ai_vendor": "Lightspeed",
    "ai_product": "Ecwid Ecommerce Shopping Cart",
    "ai_version": "7.0.7",
    "ai_score": 8.8
}

Ecwid by Lightspeed Ecommerce Shopping Cart <= 7.0.7 - Authenticated (Subscriber+) Privilege Escalation via ec_store_admin_access_CVE-2026-1750