Skip to content
Threat Feed
high advisory

SureCart WordPress Plugin Vulnerable to Account Takeover and Privilege Escalation

The SureCart plugin for WordPress, in versions up to and including 4.2.3, is vulnerable to privilege escalation through an account takeover, where unauthenticated attackers can exploit a lack of proper identity validation during customer profile synchronization via webhook events to change linked user email addresses, potentially leading to administrator account compromise.

A critical vulnerability, CVE-2026-7655, has been identified in the SureCart plugin for WordPress, affecting all versions up to and including 4.2.3. The flaw allows for privilege escalation via an account takeover due to inadequate identity validation during customer profile synchronization handled by webhook events. Unauthenticated attackers can exploit this vulnerability by providing a known SureCart customer ID, enabling them to change the associated WordPress user's email address to one they control. If an administrator account is linked to a SureCart customer record, an attacker can leverage this access to initiate a password reset for the administrator, thereby gaining full control over the WordPress administrative account. This poses a significant risk to the integrity and confidentiality of affected WordPress installations, as it allows for complete site compromise.

Attack Chain

  1. An unauthenticated attacker identifies a SureCart customer record ID that is linked to a WordPress user account on the target website.
  2. The attacker crafts a malicious webhook event request containing the identified customer ID and an attacker-controlled email address.
  3. The SureCart plugin processes the webhook event without adequately validating the user's identity.
  4. Due to the vulnerability, the plugin updates the linked WordPress user's email address to the attacker-controlled address.
  5. The attacker initiates a password reset request for the compromised WordPress user account via the WordPress login page.
  6. The password reset link is sent to the attacker-controlled email address.
  7. The attacker accesses the password reset link, sets a new password, and successfully logs into the WordPress user account.
  8. If the compromised account was an administrator, the attacker achieves privilege escalation and gains full administrative control over the WordPress site.

Impact

The successful exploitation of CVE-2026-7655 leads to full account takeover of any WordPress user whose account is linked to a SureCart customer record, provided the attacker knows the customer ID. The most severe impact occurs when an administrator account is targeted, resulting in complete compromise of the WordPress website. This can lead to unauthorized data access, content manipulation, arbitrary code execution, and potential website defacement or defunction. The vulnerability affects a broad range of WordPress sites utilizing the SureCart plugin versions up to 4.2.3.

Recommendation

  • Patch CVE-2026-7655 immediately by updating the SureCart plugin for WordPress to a version beyond 4.2.3.
  • Review access logs for unusual activity surrounding wp-admin/admin-ajax.php or other SureCart-related endpoints, especially for POST requests with unusual parameters, which could indicate attempts to exploit CVE-2026-7655.
  • Regularly audit administrator accounts and their associated email addresses, ensuring they are not linked to external systems in a way that could introduce vulnerabilities like CVE-2026-7655.