PT-2026-57403 · WordPress · Surecart

Supakiad S

·

Published

2026-07-11

·

Updated

2026-07-11

·

CVE-2026-7655

CVSS v3.1

8.1

High

VectorAV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions SureCart versions prior to 4.2.4
Description An issue exists that allows privilege escalation via account takeover. The software fails to properly validate a user's identity when updating details, such as the email address, during customer profile synchronization from webhook events. An unauthenticated attacker who knows the customer ID can change the linked user's email address, including that of an administrator if the account is linked to a SureCart customer record, and subsequently reset the password to gain unauthorized account access.
Recommendations Update SureCart to version 4.2.4 or later.

Fix

LPE

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-7655

Affected Products

Surecart