The Sunshine Photo Cart plugin for WordPress contains a missing authorization flaw that permits users to bypass intended access controls. Importantly, this is a broken access control issue identified as CWE-862. Attackers who can interact with the plugin could exploit the incorrect configuration of security levels to access or manipulate data or functionality that should be protected, potentially compromising confidentiality and integrity of photo cart content. While the vulnerability does not lead directly to remote code execution or denial of service, it does allow unauthorized operations within the plugin’s scope.

Any WordPress installation that uses the Sunshine Photo Cart plugin, specifically versions from the earliest release through 3.5.7.1. The issue affects all customers who have not upgraded past this version threshold.

The CVSS score of 4.3 indicates a moderate severity, primarily due to the access bypass, but leaves system integrity somewhat preserved. The EPSS score of <1% signals a very low likelihood of active exploitation. The vulnerability is not listed in the CISA KEV catalog, further suggesting limited current exploitation. The attack surface is limited to users who can interact with the plugin, meaning that an attacker must either have a user account or be able to submit requests that reach the plugin’s endpoints. The overall risk is moderate, but remediation is still advisable to close the unauthorized access pathway.