Privilege Escalation in Ecwid by Lightspeed Ecommerce Shopping Cart for WordPress
CVE-2026-1750

8.8HIGH

Key Information:

Vendor: WordPress
Status: Ecwid By Lightspeed Ecommerce Shopping Cart
Vendor: CVE Published:; 15 February 2026

What is CVE-2026-1750?

The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress contains a vulnerability that allows authenticated attackers to escalate their privileges. Specifically, the issue arises from a lack of proper capability checks in the 'save_custom_user_profile_fields' function. This flaw allows users with minimal permissions, such as subscribers, to manipulate the 'ec_store_admin_access' parameter during a profile update, potentially granting them store manager access. Website administrators should take immediate action to update their plugins to safeguard against this type of unauthorized access.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

Ecwid by Lightspeed Ecommerce Shopping Cart * <= 7.0.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/ecwid-shopping...

https://plugins.trac.wordpress.org/changeset/3460721/ecwi...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 15, 2026
Vulnerability Reserved
Feb 2, 2026

Credit

Nguyen Ngoc Duc

JSON

WordPress

What is CVE-2026-1750?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.