Description
Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.6.
Published: 2026-01-23
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization bypass
Action: Apply patch
AI Analysis

Impact

This vulnerability is a missing Authorization flaw that lets attackers use incorrectly configured access control security levels within the Ecwid by Lightspeed Ecommerce Shopping Cart plugin. An attacker who can reach routes protected for privileged users—such as product management, payment settings, or store configuration—can perform those operations without proper credentials. The impact includes unauthorized modification or disclosure of store data, potential disruption of e‑commerce operations, and possible fraud.

Affected Systems

Affected systems are WordPress sites that have the Ecwid Shopping Cart plugin installed with a version equal to or less than 7.0.6. The plugin is provided by Lightspeed Ecommerce under the product label Ecwid Shopping Cart.

Risk and Exploitability

The CVSS base score is 5.3, reflecting moderate potential damage. EPSS indicates a very low exploitation probability (less than 1 %). The vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread exploitation yet. Attackers can target the plugin over the web interface of a WordPress installation; therefore, the attack vector is likely remote web. The exploit requires reaching the administrative endpoints that are normally restricted, and no special user privileges are needed beforehand since the authorization check is missing.

Generated by OpenCVE AI on April 16, 2026 at 01:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Ecwid Shopping Cart plugin to the latest version, which contains the authorization fix.
  • If an immediate update is not possible, restrict access to all plugin management URLs to only administrators by configuring the site’s role‑based access controls or by adding .htaccess rules.
  • Disable WordPress file editing and review other plugin permissions to ensure loosely protected configuration files are not accessible.

Generated by OpenCVE AI on April 16, 2026 at 01:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.5. Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.6.
Title WordPress Ecwid Shopping Cart plugin <= 7.0.5 - Broken Access Control vulnerability WordPress Ecwid Shopping Cart plugin <= 7.0.6 - Broken Access Control vulnerability

Mon, 26 Jan 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Lightspeedhq
Lightspeedhq ecwid Ecommerce Shopping Cart
Wordpress
Wordpress wordpress
Vendors & Products Lightspeedhq
Lightspeedhq ecwid Ecommerce Shopping Cart
Wordpress
Wordpress wordpress

Fri, 23 Jan 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.5.
Title WordPress Ecwid Shopping Cart plugin <= 7.0.5 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Lightspeedhq Ecwid Ecommerce Shopping Cart
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:50.380Z

Reserved: 2026-01-23T12:32:24.371Z

Link: CVE-2026-24613

cve-icon Vulnrichment

Updated: 2026-01-23T17:05:35.695Z

cve-icon NVD

Status : Deferred

Published: 2026-01-23T15:16:20.143

Modified: 2026-04-28T15:16:19.537

Link: CVE-2026-24613

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T01:45:20Z

Weaknesses