CVE-2026-24613

Vulnerability

Overview The Ecwid Shopping Cart plugin for WordPress (versions through 7.0.6) suffers from a missing authorization vulnerability, categorized as a Broken Access Control issue [1]. The flaw stems from incorrectly configured access control security levels in the plugin's code, which fail to properly verify user capabilities before executing certain privileged actions [1].

Exploitation

An unauthenticated or low-privileged attacker can exploit this vulnerability by sending crafted requests to the affected plugin's endpoints without proper permission checks. No authentication is required, making the attack surface broader [1]. The vulnerability is of interest in mass-exploit campaigns, where attackers target thousands of websites simultaneously [1].

Impact

Successful exploitation allows an attacker to perform actions that should be restricted to higher-privileged users, such as modifying plugin settings or accessing sensitive data [1]. The CVSS v3 base score is 5.3 (Medium), with the vector indicating low confidentiality and integrity impact but no direct effect on availability [1].

Mitigation

The vendor released version 7.0.7 which fixes the missing authorization checks [1]. All users are advised to update to this version immediately. For sites that cannot update, enabling the Patchstack auto-update feature or consulting a hosting provider is recommended [1].