{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/surecart-plugin--4.2.3/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-7655"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["SureCart plugin (\u003c= 4.2.3)","WordPress"],"_cs_severities":["high"],"_cs_tags":["privilege-escalation","account-takeover","wordpress","plugin","web-application"],"_cs_type":"advisory","_cs_vendors":["SureCart","WordPress"],"content_html":"\u003cp\u003eA critical vulnerability, CVE-2026-7655, has been identified in the SureCart plugin for WordPress, affecting all versions up to and including 4.2.3. The flaw allows for privilege escalation via an account takeover due to inadequate identity validation during customer profile synchronization handled by webhook events. Unauthenticated attackers can exploit this vulnerability by providing a known SureCart customer ID, enabling them to change the associated WordPress user's email address to one they control. If an administrator account is linked to a SureCart customer record, an attacker can leverage this access to initiate a password reset for the administrator, thereby gaining full control over the WordPress administrative account. This poses a significant risk to the integrity and confidentiality of affected WordPress installations, as it allows for complete site compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a SureCart customer record ID that is linked to a WordPress user account on the target website.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious webhook event request containing the identified customer ID and an attacker-controlled email address.\u003c/li\u003e\n\u003cli\u003eThe SureCart plugin processes the webhook event without adequately validating the user's identity.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the plugin updates the linked WordPress user's email address to the attacker-controlled address.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a password reset request for the compromised WordPress user account via the WordPress login page.\u003c/li\u003e\n\u003cli\u003eThe password reset link is sent to the attacker-controlled email address.\u003c/li\u003e\n\u003cli\u003eThe attacker accesses the password reset link, sets a new password, and successfully logs into the WordPress user account.\u003c/li\u003e\n\u003cli\u003eIf the compromised account was an administrator, the attacker achieves privilege escalation and gains full administrative control over the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-7655 leads to full account takeover of any WordPress user whose account is linked to a SureCart customer record, provided the attacker knows the customer ID. The most severe impact occurs when an administrator account is targeted, resulting in complete compromise of the WordPress website. This can lead to unauthorized data access, content manipulation, arbitrary code execution, and potential website defacement or defunction. The vulnerability affects a broad range of WordPress sites utilizing the SureCart plugin versions up to 4.2.3.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-7655 immediately by updating the SureCart plugin for WordPress to a version beyond 4.2.3.\u003c/li\u003e\n\u003cli\u003eReview access logs for unusual activity surrounding \u003ccode\u003ewp-admin/admin-ajax.php\u003c/code\u003e or other SureCart-related endpoints, especially for POST requests with unusual parameters, which could indicate attempts to exploit CVE-2026-7655.\u003c/li\u003e\n\u003cli\u003eRegularly audit administrator accounts and their associated email addresses, ensuring they are not linked to external systems in a way that could introduce vulnerabilities like CVE-2026-7655.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-11T06:19:12Z","date_published":"2026-07-11T06:19:12Z","id":"https://feed.craftedsignal.io/briefs/2026-07-surecart-privilege-escalation/","summary":"The SureCart plugin for WordPress, in versions up to and including 4.2.3, is vulnerable to privilege escalation through an account takeover, where unauthenticated attackers can exploit a lack of proper identity validation during customer profile synchronization via webhook events to change linked user email addresses, potentially leading to administrator account compromise.","title":"SureCart WordPress Plugin Vulnerable to Account Takeover and Privilege Escalation","url":"https://feed.craftedsignal.io/briefs/2026-07-surecart-privilege-escalation/"}],"language":"en","title":"CraftedSignal Threat Feed - SureCart Plugin (\u003c= 4.2.3)","version":"https://jsonfeed.org/version/1.1"}