{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24613", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-01-23T12:32:24.371Z", "datePublished": "2026-01-23T14:29:04.954Z", "dateUpdated": "2026-04-28T16:14:50.380Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "ecwid-shopping-cart", "product": "Ecwid Shopping Cart", "vendor": "Ecwid by Lightspeed Ecommerce Shopping Cart", "versions": [{"changes": [{"at": "7.0.7", "status": "unaffected"}], "lessThanOrEqual": "7.0.6", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:20:50.128Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.6.</p>"}], "value": "Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.6."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:50.380Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/ecwid-shopping-cart/vulnerability/wordpress-ecwid-shopping-cart-plugin-7-0-5-broken-access-control-vulnerability-2?_s_id=cve"}], "title": "WordPress Ecwid Shopping Cart plugin <= 7.0.6 - Broken Access Control vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-23T17:05:41.313870Z", "id": "CVE-2026-24613", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:37:52.967Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24613", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-23T17:05:41.313870Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-23T17:05:35.695Z"}}], "cna": {"title": "WordPress Ecwid Shopping Cart plugin <= 7.0.6 - Broken Access Control vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "Legion Hunter | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Ecwid by Lightspeed Ecommerce Shopping Cart", "product": "Ecwid Shopping Cart", "versions": [{"status": "affected", "changes": [{"at": "7.0.7", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "7.0.6"}], "packageName": "ecwid-shopping-cart", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:20:50.128Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/ecwid-shopping-cart/vulnerability/wordpress-ecwid-shopping-cart-plugin-7-0-5-broken-access-control-vulnerability-2?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.6.", "supportingMedia": [{"type": "text/html", "value": "Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "Missing Authorization"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:14:07.023Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24613", "state": "PUBLISHED", "dateUpdated": "2026-04-28T14:37:52.967Z", "dateReserved": "2026-01-23T12:32:24.371Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-01-23T14:29:04.954Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.6."}, {"lang": "es", "value": "Vulnerabilidad de autorizaci\u00f3n faltante en Ecwid por Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart permite la explotaci\u00f3n de niveles de seguridad de control de acceso configurados incorrectamente. Este problema afecta a Ecwid Shopping Cart: desde n/a hasta &lt;= 7.0.5."}], "id": "CVE-2026-24613", "lastModified": "2026-04-28T15:16:19.537", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2026-01-23T15:16:20.143", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/ecwid-shopping-cart/vulnerability/wordpress-ecwid-shopping-cart-plugin-7-0-5-broken-access-control-vulnerability-2?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-16T01:31:21.260909+00:00", "value": {"mitigation_remediation": ["Update the Ecwid Shopping Cart plugin to the latest version, which contains the authorization fix.", "If an immediate update is not possible, restrict access to all plugin management URLs to only administrators by configuring the site\u2019s role\u2011based access controls or by adding .htaccess rules.", "Disable WordPress file editing and review other plugin permissions to ensure loosely protected configuration files are not accessible."], "summary": {"action": "Apply patch", "impact": "Authorization bypass"}, "threat_synthesis": {"affected_systems": "Affected systems are WordPress sites that have the Ecwid Shopping Cart plugin installed with a version equal to or less than 7.0.6. The plugin is provided by Lightspeed Ecommerce under the product label Ecwid Shopping Cart.", "description_and_impact": "This vulnerability is a missing Authorization flaw that lets attackers use incorrectly configured access control security levels within the Ecwid by Lightspeed Ecommerce Shopping Cart plugin. An attacker who can reach routes protected for privileged users\u2014such as product management, payment settings, or store configuration\u2014can perform those operations without proper credentials. The impact includes unauthorized modification or disclosure of store data, potential disruption of e\u2011commerce operations, and possible fraud.", "risk_and_exploitability": "The CVSS base score is 5.3, reflecting moderate potential damage. EPSS indicates a very low exploitation probability (less than 1\u202f%). The vulnerability is not listed in CISA\u2019s KEV catalog, suggesting no widespread exploitation yet. Attackers can target the plugin over the web interface of a WordPress installation; therefore, the attack vector is likely remote web. The exploit requires reaching the administrative endpoints that are normally restricted, and no special user privileges are needed beforehand since the authorization check is missing."}}}}, "created": "2026-01-26T11:52:48.880031+00:00", "updated": "2026-04-16T01:45:20.646287+00:00", "vendors": ["lightspeedhq", "lightspeedhq$PRODUCT$ecwid_ecommerce_shopping_cart", "wordpress", "wordpress$PRODUCT$wordpress"]}