Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
8.8
Ecwid Ecommerce Shopping Cart plugin allows attackers to gain admin access
CVE-2026-1750
Summary
If an attacker with low-level permissions updates a user profile, they may gain full control over an online store. This affects all versions of the Ecwid Ecommerce Shopping Cart plugin for WordPress up to 7.0.7. To fix this, update to version 7.0.8 or later.
Original title
The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7. This is due to a missing capability check in ...
Original description
The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7. This is due to a missing capability check in the 'save_custom_user_profile_fields' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to supply the 'ec_store_admin_access' parameter during a profile update and gain store manager access to the site.
nvd CVSS3.1
8.8
Vulnerability type
CWE-269
Improper Privilege Management
Published: 15 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026