Description
The Sunshine Photo Cart: Free Client Photo Galleries for Photographers plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.11. This is due to the plugin not properly validating a user-supplied key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's passwords through the password reset functionality, including administrators, and leverage that to reset the user's password and gain access to their account.
Published: 2025-06-04
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Password Reset
Action: Immediate Patch
AI Analysis

Impact

The plugin failure allows an authenticated user with Subscriber-level access or higher to reset the password of any other user, including administrators, by exploiting an unvalidated key. This grants full access to the victim's account, enabling the attacker to compromise confidentiality, integrity, and availability of the site. The weakness is a privilege escalation flaw (CWE-620).

Affected Systems

Sunshine Photo Cart, a WordPress plugin, is affected in all versions up to and including 3.4.11. No specific vendor version details are provided beyond the maximum vulnerable release.

Risk and Exploitability

The vulnerability has a CVSS score of 8.8, indicating high severity, but the EPSS score is less than 1%, suggesting a low likelihood of exploitation at present. It is not listed in the CISA KEV catalog. Attackers need to be authenticated as a Subscriber or above, after which they can trigger the password reset function to impersonate any user. No remote code execution or other exploitation techniques are required beyond leveraging the existing password reset flow.

Generated by OpenCVE AI on April 21, 2026 at 20:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Sunshine Photo Cart plugin to version 3.4.12 or later.
  • Configure the plugin or role settings to disable password reset capabilities for the Subscriber role, or remove that capability from the role entirely.
  • If immediate upgrade is not feasible, remove Subscriber privileges from users that do not require frontend access and consider temporarily disabling the plugin’s access to the password reset functionality until the fix is applied.

Generated by OpenCVE AI on April 21, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16851 The Sunshine Photo Cart: Free Client Photo Galleries for Photographers plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.11. This is due to the plugin not properly validating a user-supplied key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's passwords through the password reset functionality, including administrators, and leverage that to reset the user's password and gain access to their account.
History

Wed, 08 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
Title Sunshine Photo Cart <= 3.4.11 - Authenticated (Subscriber) Privilege Escalation Sunshine Photo Cart <= 3.4.11 - Authenticated (Subscriber+) Privilege Escalation

Fri, 11 Jul 2025 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Sunshinephotocart
Sunshinephotocart sunshine Photo Cart
CPEs cpe:2.3:a:sunshinephotocart:sunshine_photo_cart:*:*:*:*:*:wordpress:*:*
Vendors & Products Sunshinephotocart
Sunshinephotocart sunshine Photo Cart

Wed, 04 Jun 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 04 Jun 2025 07:30:00 +0000

Type Values Removed Values Added
Description The Sunshine Photo Cart: Free Client Photo Galleries for Photographers plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.11. This is due to the plugin not properly validating a user-supplied key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's passwords through the password reset functionality, including administrators, and leverage that to reset the user's password and gain access to their account.
Title Sunshine Photo Cart <= 3.4.11 - Authenticated (Subscriber) Privilege Escalation
Weaknesses CWE-620
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Sunshinephotocart Sunshine Photo Cart
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:52:57.489Z

Reserved: 2025-06-02T19:40:42.633Z

Link: CVE-2025-5482

cve-icon Vulnrichment

Updated: 2025-06-04T13:44:35.765Z

cve-icon NVD

Status : Analyzed

Published: 2025-06-04T08:15:22.613

Modified: 2025-07-11T18:50:03.380

Link: CVE-2025-5482

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T20:30:27Z

Weaknesses