PT-2026-57403 · WordPress · Surecart
Supakiad S
·
Published
2026-07-11
·
Updated
2026-07-11
·
CVE-2026-7655
CVSS v3.1
8.1
High
| Vector | AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
SureCart versions prior to 4.2.4
Description
An issue exists that allows privilege escalation via account takeover. The software fails to properly validate a user's identity when updating details, such as the email address, during customer profile synchronization from webhook events. An unauthenticated attacker who knows the customer ID can change the linked user's email address, including that of an administrator if the account is linked to a SureCart customer record, and subsequently reset the password to gain unauthorized account access.
Recommendations
Update SureCart to version 4.2.4 or later.
Fix
LPE
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Surecart