Ecwid by Lightspeed Ecommerce Shopping Cart < 7.0.8 – Subscriber+ Privilege Escalation | CVE 2026-1750

Description

The plugin is vulnerable to Privilege Escalation due to a missing capability check in the 'save_custom_user_profile_fields' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to supply the 'ec_store_admin_access' parameter during a profile update and gain store manager access to the site.

Proof of Concept

Login as a subscriber, save your profile, replay the request and add the following POST data to it `&ec_store_admin_access=1`

Affects Plugins

ecwid-shopping-cart

Fixed in 7.0.8

References

CVE

CVE-2026-1750

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/2d29f77c-b86d-4058-b528-27631e8a1f2e

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CWE-269

CVSS

8.8 (high)

Miscellaneous

Original Researcher

Nguyen Ngoc Duc (duc193)

Verified

WPVDB ID

dda88031-50fd-49b7-a6b1-dc92b487e124

Timeline

Publicly Published

2026-02-14 (about 3 months ago)

Added

2026-02-14 (about 3 months ago)

Last Updated

2026-06-05 (about 1 hour ago)

Other

Published

Title

Published

2025-12-03

Title

WP Directory Kit < 1.4.5 - Privilege Escalation via Account Takeover

Published

2024-10-09

Title

UserPlus <= 2.0 - Editor+ Registration Form Update to Privilege Escalation

Published

2024-06-03

Title

Frontend Registration – Contact Form 7 <= 5.1 - Authenticated (Editor+) Privilege Escalation

Published

2025-03-06

Title

School Management System for Wordpress <= 93.0.0 - Student+ Account Takeover and Privilege Escalation

Published

2025-01-13

Title

Homey <= 2.4.1 - Authenticated (Subscriber+) Privilege Escalation