CVE-2026-1750 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: February 15, 2026
Ecwid by Lightspeed Ecommerce Shopping Cart - Privilege Escalation
Overview
Ecwid by Lightspeed Ecommerce Shopping Cart WordPress plugin <= 7.0.7 contains a privilege escalation caused by missing capability check in 'save_custom_user_profile_fields' function, letting authenticated attackers with minimal permissions gain store manager access, exploit requires authentication with minimal permissions.
Severity & Score
Impact
Authenticated attackers with minimal permissions can escalate to store manager access, compromising site management.
Mitigation
Update to a version later than 7.0.7 or the latest available version.
References
- https://plugins.trac.wordpress.org/browser/ecwid-shopping-cart/tags/7.0.7/includes/class-ec-store-admin-access.php#L28
- https://plugins.trac.wordpress.org/changeset/3460721/ecwid-shopping-cart#file2
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2d29f77c-b86d-4058-b528-27631e8a1f2e?source=cve
Social Media Activity(2 posts)
🔒 CVE-2026-1750 (HIGH): Privilege escalation in Ecwid by Lightspeed Shopping Cart for WordPress (≤7.0.7). Authenticated users can gain store manager access via missing capability checks. Patch when available, audit roles now. https://radar.offseq.com/threat/cve-2026-1750-cwe-269-improper-privilege-managemen-02c6a8ce #OffSeq #WordPress #Infosec
View original post
🔒 CVE-2026-1750 (HIGH): Privilege escalation in Ecwid by Lightspeed Shopping Cart for WordPress (≤7.0.7). Authenticated users can gain store manager access via missing capability checks. Patch when available, audit roles now. https://radar.offseq.com/threat/cve-2026-1750-cwe-269-improper-privilege-managemen-02c6a8ce #OffSeq #WordPress #Infosec
View original postRelated Resources
Details
- CVE ID
- CVE-2026-1750
- Severity
- High
- CVSS Score
- 8.8
- Type
- broken_access_control
- Status
- new
- EPSS
- 3.0%
- Social Posts
- 2
CWE
- CWE-269
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H