Description
Missing Authorization vulnerability in WP Sunshine Sunshine Photo Cart allows Exploiting Incorrectly Configured Access Control Security Levels.

This issue affects Sunshine Photo Cart: from n/a through 3.6.7.
Published: 2026-05-25
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Missing authorization controls in WP Sunshine Photo Cart versions up to 3.6.7 allow an attacker to bypass intended security restrictions and potentially modify or access information that should be restricted. The flaw stems from incorrectly configured access control levels, resulting in a CWE-862 weakness that can expose sensitive data or alter the state of the plugin without proper user permissions.

Affected Systems

The vulnerability affects all instances of the WP Sunshine Photo Cart plugin with versions from the earliest released build up through 3.6.7. Site administrators should verify the installed plugin version and ensure it lies outside this affected range.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity, and the lack of an EPSS score means the current exploitation probability is unknown. The flaw is not listed in the CISA KEV catalog, suggesting no known high-profile exploitation. Attackers are likely to exploit this via crafted HTTP requests targeting plugin endpoints, especially when the site's access control configuration is misaligned. Since the issue is a broken access control, no local user privilege escalation or remote code execution is explicitly reported, but the ability to access privileged operations could lead to further damage.

Generated by OpenCVE AI on May 26, 2026 at 00:51 UTC.

Remediation

Vendor Solution

Update the WordPress Sunshine Photo Cart Plugin to the latest available version (at least 3.6.8).

OpenCVE Recommended Actions

  • Update the WP Sunshine Photo Cart plugin to version 3.6.8 or newer.
  • Verify that the plugin's pages are properly restricted by reviewing user roles and capabilities in the WordPress admin dashboard.
  • If a patch is not immediately available, temporarily disable or remove the plugin to prevent unauthorized access until the update is applied.

Generated by OpenCVE AI on May 26, 2026 at 00:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Sunshinephotocart
Sunshinephotocart sunshine Photo Cart
Wordpress
Wordpress wordpress
Vendors & Products Sunshinephotocart
Sunshinephotocart sunshine Photo Cart
Wordpress
Wordpress wordpress

Tue, 26 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 25 May 2026 23:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in WP Sunshine Sunshine Photo Cart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sunshine Photo Cart: from n/a through 3.6.7.
Title WordPress Sunshine Photo Cart plugin <= 3.6.7 - Broken Access Control vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Sunshinephotocart Sunshine Photo Cart
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-26T10:50:00.472Z

Reserved: 2026-04-29T11:42:26.336Z

Link: CVE-2026-42776

cve-icon Vulnrichment

Updated: 2026-05-26T10:49:55.840Z

cve-icon NVD

Status : Deferred

Published: 2026-05-25T23:16:33.200

Modified: 2026-05-26T19:31:20.323

Link: CVE-2026-42776

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T09:45:30Z

Weaknesses