Privilege Escalation in SureCart Plugin for WordPress
CVE-2026-7655
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 11 July 2026
What is CVE-2026-7655?
The SureCart plugin for WordPress has a vulnerability that allows unauthorized users to escalate privileges by performing account takeover. This security flaw arises from improper validation of user identities during processes such as email updates in customer profile synchronization via webhook events. As a result, unauthenticated attackers can alter linked users' email addresses, jeopardizing even administrator accounts. If an attacker is aware of a valid customer ID, they can exploit this vulnerability to reset the user's password and gain unauthorized access to their account, making it critical for users to ensure they are using the latest version.
Affected Version(s)
SureCart β Ecommerce Made Easy For Selling Physical Products, Digital Downloads, Subscriptions, Donations, & Payments 0 <= 4.2.3