CVE-2026-1750 in Ecwid by Lightspeed Ecommerce Shopping Cart Plugin
Summary
by MITRE • 02/15/2026
The Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 7.0.7. This is due to a missing capability check in the 'save_custom_user_profile_fields' function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to supply the 'ec_store_admin_access' parameter during a profile update and gain store manager access to the site.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 02/20/2026
The vulnerability identified as CVE-2026-1750 affects the Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress, representing a critical privilege escalation flaw that undermines the security model of WordPress installations. This issue exists in all versions up to and including 7.0.7, making it a widespread concern for users who have not yet updated their plugin installations. The vulnerability stems from inadequate access control mechanisms within the plugin's codebase, specifically in the handling of user profile updates and capability verification processes. Security researchers have identified that the plugin fails to properly validate user permissions when processing certain parameters, creating an exploitable condition that allows attackers to manipulate their access levels within the ecommerce platform.
The technical flaw manifests through the 'save_custom_user_profile_fields' function which lacks proper capability checks to verify whether an authenticated user possesses sufficient privileges to modify specific parameters. An attacker with minimal permissions, such as a subscriber account, can exploit this weakness by injecting the 'ec_store_admin_access' parameter during a profile update request. This parameter modification effectively grants the attacker elevated privileges within the Ecwid plugin interface, allowing them to assume store manager access rights. The vulnerability demonstrates a clear violation of the principle of least privilege, where users should only have access to functionality directly related to their assigned roles and permissions. This flaw directly corresponds to CWE-276, which addresses improper privileges for a resource, and represents a classic example of insufficient access control validation in web applications.
The operational impact of this vulnerability extends beyond simple privilege escalation, as it provides attackers with comprehensive access to the ecommerce platform's administrative functions. Once an attacker gains store manager access, they can manipulate product catalogs, modify pricing structures, access customer data, process refunds, and potentially execute further attacks on the broader WordPress installation. The vulnerability is particularly concerning because it requires minimal user permissions to exploit, meaning that even low-privilege accounts can be leveraged to gain significant control over the ecommerce operations. This makes it attractive to attackers who may have already gained access to compromised subscriber accounts through various means such as credential theft, social engineering, or other initial compromise techniques. The vulnerability aligns with ATT&CK technique T1078.004 which covers valid accounts and T1484.001 which addresses privilege escalation through manipulation of access control lists.
Mitigation strategies for this vulnerability should prioritize immediate plugin updates to versions that address the capability check deficiency. Administrators should ensure that all users have the latest plugin versions installed and regularly monitor for security updates from the vendor. Additionally, implementing proper access control measures such as role-based access control (RBAC) and regular permission audits can help reduce the impact of such vulnerabilities. Network-level protections including web application firewalls and intrusion detection systems can also provide additional layers of defense against exploitation attempts. Organizations should conduct thorough security assessments of their WordPress installations to identify and remediate similar privilege escalation vulnerabilities across other plugins and themes. The vulnerability underscores the critical importance of maintaining up-to-date software components and implementing robust security practices to prevent unauthorized privilege escalation within web applications. Regular security monitoring and timely patch management are essential to protect against these types of attacks that exploit fundamental access control weaknesses in popular web platforms.