{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24580", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:32:07.880Z", "datePublished": "2026-01-23T14:28:59.009Z", "dateUpdated": "2026-04-28T16:14:49.744Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ecwid-shopping-cart", "product": "Ecwid Shopping Cart", "vendor": "Ecwid by Lightspeed Ecommerce Shopping Cart", "versions": [{"changes": [{"at": "7.0.6", "status": "unaffected"}], "lessThanOrEqual": "7.0.5", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Rapid0nion | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:55.401Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.5.</p>"}], "value": "Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.5."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:49.744Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ecwid-shopping-cart/vulnerability/wordpress-ecwid-shopping-cart-plugin-7-0-5-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Ecwid Shopping Cart plugin <= 7.0.5 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-26T18:35:35.619630Z", "id": "CVE-2026-24580", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:29:52.269Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24580", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-26T18:35:35.619630Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-26T18:35:33.206Z"}}], "cna": {"title": "WordPress Ecwid Shopping Cart plugin <= 7.0.5 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Rapid0nion | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Ecwid by Lightspeed Ecommerce Shopping Cart", "product": "Ecwid Shopping Cart", "versions": [{"status": "affected", "changes": [{"at": "7.0.6", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "7.0.5"}], "packageName": "ecwid-shopping-cart", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:55.401Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/ecwid-shopping-cart/vulnerability/wordpress-ecwid-shopping-cart-plugin-7-0-5-broken-access-control-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.5.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.5.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:06.756Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24580", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:29:52.269Z", "dateReserved": "2026-01-23T12:32:07.880Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:28:59.009Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.5."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Ecwid por Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Ecwid Shopping Cart: desde n/a hasta &lt;= 7.0.5."}], "id": "CVE-2026-24580", "lastModified": "2026-04-28T15:16:16.557", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-23T15:16:15.903", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/ecwid-shopping-cart/vulnerability/wordpress-ecwid-shopping-cart-plugin-7-0-5-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:39:15.966450+00:00", "value": {"mitigation_remediation": ["Upgrade the Ecwid Shopping Cart plugin to the latest version (>= 7.0.6) that includes the correct access control checks.", "Verify that all administrative URLs related to the plugin are protected by proper role checks before executing any actions.", "If a newer version is not yet available, temporarily disable the plugin or restrict access to its admin pages until the patch is released."], "summary": {"action": "Patch", "impact": "Unauthorized Data Access via Broken Access Control"}, "threat_synthesis": {"affected_systems": "The issue affects the Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress, specifically all releases from the earliest versions through 7.0.5. Users running any of these affected versions are at risk until a newer, properly secured release is applied.", "description_and_impact": "The vulnerability is an authority flaw that allows an attacker to bypass the access control logic implemented by the Ecwid Shopping Cart plugin. If successfully exploited, an attacker could perform actions or read data on the website that should be restricted to privileged users, potentially modifying orders or sensitive customer information.", "risk_and_exploitability": "The CVSS score of 4.3 denotes a moderate impact, and the EPSS score of less than 1% suggests a very low probability of active exploitation at this time. The vulnerability is not listed in CISA\u2019s KEV catalog, indicating it has not yet been publicly exploited. The likely attack vector is through the WordPress site\u2019s administrative interface, where the plugin\u2019s configuration pages can be accessed without sufficient role verification. An attacker with the ability to submit crafted requests or view the affected URLs could exploit the flaw to elevate privileges or extract restricted data."}}}}, "created": "2026-01-26T11:53:43.201354+00:00", "updated": "2026-04-16T01:45:20.656993+00:00", "vendors": ["lightspeedhq", "lightspeedhq$PRODUCT$ecwid_ecommerce_shopping_cart", "wordpress", "wordpress$PRODUCT$wordpress"]}