{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-26T12:38:39.402","vulnerabilities":[{"cve":{"id":"CVE-2026-1750","sourceIdentifier":"security@wordfence.com","published":"2026-02-15T04:15:54.113","lastModified":"2026-06-17T10:16:27.257","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7. This is due to a missing capability check in the 'save_custom_user_profile_fields' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to supply the 'ec_store_admin_access' parameter during a profile update and gain store manager access to the site."},{"lang":"es","value":"El plugin Ecwid by Lightspeed Ecommerce Shopping Cart para WordPress es vulnerable a la escalada de privilegios en todas las versiones hasta la 7.0.7, inclusive. Esto se debe a una comprobación de capacidad faltante en la función 'save_custom_user_profile_fields'. Esto permite que atacantes autenticados, con permisos mínimos como un suscriptor, suministren el parámetro 'ec_store_admin_access' durante una actualización de perfil y obtengan acceso de administrador de tienda al sitio."}],"affected":[{"source":"security@wordfence.com","affectedData":[{"vendor":"ecwid","product":"Ecwid by Lightspeed Ecommerce Shopping Cart","defaultStatus":"unaffected","versions":[{"version":"0","lessThanOrEqual":"7.0.7","versionType":"semver","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2026-02-17T21:22:24.977857Z","id":"CVE-2026-1750","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security@wordfence.com","type":"Secondary","description":[{"lang":"en","value":"CWE-269"}]}],"references":[{"url":"https://plugins.trac.wordpress.org/browser/ecwid-shopping-cart/tags/7.0.7/includes/class-ec-store-admin-access.php#L28","source":"security@wordfence.com"},{"url":"https://plugins.trac.wordpress.org/changeset/3460721/ecwid-shopping-cart#file2","source":"security@wordfence.com"},{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/2d29f77c-b86d-4058-b528-27631e8a1f2e?source=cve","source":"security@wordfence.com"}]}}]}