{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-5482", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-06-02T19:40:42.633Z", "datePublished": "2025-06-04T07:21:45.490Z", "dateUpdated": "2026-04-08T16:52:57.489Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:57.489Z"}, "affected": [{"vendor": "sunshinephotocart", "product": "Sunshine Photo Cart \u2013 Client Photo Gallery & Photo Proofing for Photographers", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.4.11", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Sunshine Photo Cart: Free Client Photo Galleries for Photographers plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.11. This is due to the plugin not properly validating a user-supplied key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's passwords through the password reset functionality, including administrators, and leverage that to reset the user's password and gain access to their account."}], "title": "Sunshine Photo Cart <= 3.4.11 - Authenticated (Subscriber+) Privilege Escalation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5311b43c-14dd-4bdd-b6d0-d6468b831968?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/sunshine-photo-cart/trunk/includes/functions/account.php#L303"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3305406%40sunshine-photo-cart%2Ftrunk&old=3261773%40sunshine-photo-cart%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-620 Unverified Password Change", "cweId": "CWE-620", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Brian Sans-Souci"}, {"lang": "en", "type": "finder", "value": "Audrey Fran\u00e7ois"}], "timeline": [{"time": "2025-06-03T19:10:16.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-06-04T13:44:24.662897Z", "id": "CVE-2025-5482", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-04T13:44:39.256Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-5482", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-06-04T13:44:24.662897Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-06-04T13:44:35.765Z"}}], "cna": {"title": "Sunshine Photo Cart <= 3.4.11 - Authenticated (Subscriber+) Privilege Escalation", "credits": [{"lang": "en", "type": "finder", "value": "Brian Sans-Souci"}, {"lang": "en", "type": "finder", "value": "Audrey Fran\u00e7ois"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}}], "affected": [{"vendor": "sunshinephotocart", "product": "Sunshine Photo Cart \u2013 Client Photo Gallery & Photo Proofing for Photographers", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.4.11"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-06-03T19:10:16.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5311b43c-14dd-4bdd-b6d0-d6468b831968?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/sunshine-photo-cart/trunk/includes/functions/account.php#L303"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3305406%40sunshine-photo-cart%2Ftrunk&old=3261773%40sunshine-photo-cart%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Sunshine Photo Cart: Free Client Photo Galleries for Photographers plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.11. This is due to the plugin not properly validating a user-supplied key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's passwords through the password reset functionality, including administrators, and leverage that to reset the user's password and gain access to their account."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-620", "description": "CWE-620 Unverified Password Change"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:52:57.489Z"}}}, "cveMetadata": {"cveId": "CVE-2025-5482", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:52:57.489Z", "dateReserved": "2025-06-02T19:40:42.633Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-06-04T07:21:45.490Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sunshinephotocart:sunshine_photo_cart:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "D403EABC-61D2-48AC-A56B-6A9F63F901DD", "versionEndExcluding": "3.4.12", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Sunshine Photo Cart: Free Client Photo Galleries for Photographers plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 3.4.11. This is due to the plugin not properly validating a user-supplied key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change arbitrary user's passwords through the password reset functionality, including administrators, and leverage that to reset the user's password and gain access to their account."}, {"lang": "es", "value": "El complemento Sunshine Photo Cart: Free Client Photo Galleries for Photographers para WordPress es vulnerable a la escalada de privilegios mediante el robo de cuentas en todas las versiones hasta la 3.4.11 incluida. Esto se debe a que el complemento no valida correctamente la clave proporcionada por el usuario. Esto permite a atacantes autenticados, con acceso de suscriptor o superior, cambiar las contrase\u00f1as de usuarios arbitrarios mediante la funci\u00f3n de restablecimiento de contrase\u00f1a, incluyendo administradores, y aprovechar esta situaci\u00f3n para restablecer la contrase\u00f1a del usuario y acceder a su cuenta."}], "id": "CVE-2025-5482", "lastModified": "2025-07-11T18:50:03.380", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-06-04T08:15:22.613", "references": [{"source": "security@wordfence.com", "tags": ["Product"], "url": "https://plugins.trac.wordpress.org/browser/sunshine-photo-cart/trunk/includes/functions/account.php#L303"}, {"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3305406%40sunshine-photo-cart%2Ftrunk&old=3261773%40sunshine-photo-cart%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5311b43c-14dd-4bdd-b6d0-d6468b831968?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-620"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-21T20:27:45.042284+00:00", "value": {"mitigation_remediation": ["Upgrade the Sunshine Photo Cart plugin to version 3.4.12 or later.", "Configure the plugin or role settings to disable password reset capabilities for the Subscriber role, or remove that capability from the role entirely.", "If immediate upgrade is not feasible, remove Subscriber privileges from users that do not require frontend access and consider temporarily disabling the plugin\u2019s access to the password reset functionality until the fix is applied."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation via Password Reset"}, "threat_synthesis": {"affected_systems": "Sunshine Photo Cart, a WordPress plugin, is affected in all versions up to and including 3.4.11. No specific vendor version details are provided beyond the maximum vulnerable release.", "description_and_impact": "The plugin failure allows an authenticated user with Subscriber-level access or higher to reset the password of any other user, including administrators, by exploiting an unvalidated key. This grants full access to the victim's account, enabling the attacker to compromise confidentiality, integrity, and availability of the site. The weakness is a privilege escalation flaw (CWE-620).", "risk_and_exploitability": "The vulnerability has a CVSS score of 8.8, indicating high severity, but the EPSS score is less than 1%, suggesting a low likelihood of exploitation at present. It is not listed in the CISA KEV catalog. Attackers need to be authenticated as a Subscriber or above, after which they can trigger the password reset function to impersonate any user. No remote code execution or other exploitation techniques are required beyond leveraging the existing password reset flow."}}}}, "created": "2026-04-21T20:30:27.402650+00:00", "updated": "2026-04-21T20:30:27.402660+00:00", "vendors": []}