Description
Missing Authorization vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Sunshine Photo Cart: from n/a through <= 3.5.3.
Published: 2025-10-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing authorization flaw that allows attackers to invoke functionality in the Sunshine Photo Cart WordPress plugin that is not properly restricted by access control lists. This enables unauthorized users to access administrative actions or data that should be limited to privileged roles. The weakness is identified as CWE-862, a broken access control issue.

Affected Systems

The vulnerability affects the Sunshine Photo Cart plugin for WordPress for all releases up through and including version 3.5.3. The plugin is distributed by the vendor Sunshine Photo Cart. No other plugin versions or vendors are listed as affected.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity, and the EPSS score of less than 1% suggests that current exploitation of this flaw is unlikely. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is a web‑based request to the WordPress site hosting the plugin, where an attacker can send crafted HTTP requests to invoke restricted functions without proper authentication. The exploit would require that the attacker can interact with the site, such as via a publicly accessible account or a compromised user.

Generated by OpenCVE AI on April 29, 2026 at 20:49 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Sunshine Photo Cart plugin to version 3.5.4 or later to remove the access‑control flaw.
  • If an update is not immediately feasible, restrict access to the plugin’s administration URLs by applying role‑based restrictions or by blocking those endpoints at the web‑server or firewall level.
  • As a temporary workaround, consider disabling the Sunshine Photo Cart plugin until a patched version is available, or block traffic to any URLs that map to the vulnerable functionality.

Generated by OpenCVE AI on April 29, 2026 at 20:49 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Tue, 28 Oct 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 27 Oct 2025 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Sunshinephotocart
Sunshinephotocart sunshine Photo Cart
Wordpress
Wordpress wordpress
Vendors & Products Sunshinephotocart
Sunshinephotocart sunshine Photo Cart
Wordpress
Wordpress wordpress

Mon, 27 Oct 2025 02:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Sunshine Photo Cart: from n/a through <= 3.5.3.
Title WordPress Sunshine Photo Cart plugin <= 3.5.3 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Sunshinephotocart Sunshine Photo Cart
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:04.987Z

Reserved: 2025-10-24T14:24:16.560Z

Link: CVE-2025-62892

cve-icon Vulnrichment

Updated: 2025-10-27T15:21:40.968Z

cve-icon NVD

Status : Deferred

Published: 2025-10-27T02:15:48.140

Modified: 2026-04-27T18:16:27.780

Link: CVE-2025-62892

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T21:00:09Z

Weaknesses