Description
The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7. This is due to a missing capability check in the 'save_custom_user_profile_fields' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to supply the 'ec_store_admin_access' parameter during a profile update and gain store manager access to the site.
Published: 2026-02-15
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from a missing capability check in the save_custom_user_profile_fields function. Authenticated users with minimal permissions, such as subscribers, can supply the ec_store_admin_access parameter during a profile update, which grants them store manager privileges. The flaw is a classic privilege escalation issue, classified as CWE-269, allowing a low‑privilege user to gain higher‑level control over the e‑commerce platform.

Affected Systems

Affected systems are installations of the Ecwid by Lightspeed Ecommerce Shopping Cart WordPress plugin through version 7.0.7 inclusive. All WordPress sites running any of these versions are susceptible until the plugin is updated to a fixed release.

Risk and Exploitability

The severity is high with a CVSS score of 8.8, yet the EPSS score of less than 1% indicates a very low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need an authenticated session and would exploit the profile‑update endpoint to set the ec_store_admin_access flag, thereby escalating privileges. Security teams should treat this as a high‑risk flaw requiring prompt remediation.

Generated by OpenCVE AI on April 15, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Ecwid plugin to the latest version (7.0.8 or later) where the capability check has been restored.
  • If an immediate upgrade is not possible, remove or restrict the ec_store_admin_access parameter from the user profile update form for roles below store manager level.
  • Revoke the store manager capability from all subscribers and lower roles, ensuring only authorized users can assign store manager status.
  • Monitor user activity logs for unauthorized attempts to set the ec_store_admin_access flag and block such requests.

Generated by OpenCVE AI on April 15, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 16 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Ecwid
Ecwid ecwid By Lightspeed Ecommerce Shopping Cart
Wordpress
Wordpress wordpress
Vendors & Products Ecwid
Ecwid ecwid By Lightspeed Ecommerce Shopping Cart
Wordpress
Wordpress wordpress

Sun, 15 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Description The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7. This is due to a missing capability check in the 'save_custom_user_profile_fields' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to supply the 'ec_store_admin_access' parameter during a profile update and gain store manager access to the site.
Title Ecwid by Lightspeed Ecommerce Shopping Cart <= 7.0.7 - Authenticated (Subscriber+) Privilege Escalation via ec_store_admin_access
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Ecwid Ecwid By Lightspeed Ecommerce Shopping Cart
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:44:05.992Z

Reserved: 2026-02-02T06:58:05.355Z

Link: CVE-2026-1750

cve-icon Vulnrichment

Updated: 2026-02-17T21:22:29.080Z

cve-icon NVD

Status : Deferred

Published: 2026-02-15T04:15:54.113

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1750

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:30:13Z

Weaknesses