CVE-2026-42776

Vulnerability

The Sunshine Photo Cart WordPress plugin through version 3.6.7 suffers from a broken access control (missing authorization) vulnerability. The plugin fails to properly check user permissions or nonce tokens on certain functions, making it possible for an attacker to exploit incorrectly configured access control security levels [1].

Exploitation

An attacker needs no special privileges—the vulnerability can be exploited remotely without authentication. By sending crafted requests to the vulnerable endpoint, an attacker can trigger actions that should require higher privileges. No user interaction is required [1]. This type of vulnerability is frequently used in mass exploitation campaigns targeting thousands of websites [1].

Impact

Successful exploitation allows an unprivileged attacker to execute higher-privileged actions within the plugin, leading to unauthorized access or modification of data. The exact CIA outcome depends on the context of the affected functionality, but it may include information disclosure or data manipulation [1].

Mitigation

The vendor released version 3.6.8 to fix the vulnerability. All users should update to 3.6.8 or later immediately [1]. For users unable to update, Patchstack provides a mitigation rule that can block attacks until the update is applied. Hosting providers or web developers may also assist with temporary workarounds [1].