The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to, and including, 4.2.3. This is due to the plugin not properly validating a user's identity prior to updating their details like email during customer profile synchronization from webhook events. This makes it possible for unauthenticated attackers to change linked user's email addresses, including administrators if the administrator account is linked to a SureCart customer record, and leverage that to reset the user's password and gain access to their account if the customer ID is known.
History

Wed, 15 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 13 Jul 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Surecart
Surecart surecart – Ecommerce Made Easy For Selling Physical Products, Digital Downloads, Subscriptions, Donations, & Payments
Wordpress
Wordpress wordpress
Vendors & Products Surecart
Surecart surecart – Ecommerce Made Easy For Selling Physical Products, Digital Downloads, Subscriptions, Donations, & Payments
Wordpress
Wordpress wordpress

Sat, 11 Jul 2026 05:45:00 +0000

Type Values Removed Values Added
Description The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to, and including, 4.2.3. This is due to the plugin not properly validating a user's identity prior to updating their details like email during customer profile synchronization from webhook events. This makes it possible for unauthenticated attackers to change linked user's email addresses, including administrators if the administrator account is linked to a SureCart customer record, and leverage that to reset the user's password and gain access to their account if the customer ID is known.
Title SureCart <= 4.2.3 - Unauthenticated Linked WordPress Account Takeover via Forged customer.updated Webhook
Weaknesses CWE-640
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-07-11T04:32:59.281Z

Updated: 2026-07-15T13:38:54.348Z

Reserved: 2026-05-01T18:32:09.448Z

Link: CVE-2026-7655

cve-icon Vulnrichment

Updated: 2026-07-15T13:38:48.707Z

cve-icon NVD

No data.

cve-icon Redhat

No data.