What the vulnerability does
01Description
The EasyCommerce – AI-Powered, Fast & Beautiful WordPress Ecommerce Plugin plugin for WordPress is vulnerable to Privilege Escalation in versions 0.9.0-beta2 to 1.8.2. This is due to the /easycommerce/v1/orders REST API endpoint not properly restricting the ability for users to select roles during registration. This makes it possible for unauthenticated attackers to gain administrator-level access to a vulnerable site.
Explanation of Vulnerability in Simple Terms
02Summary
The EasyCommerce plugin for WordPress contains a privilege management flaw affecting versions up to 1.8.2. An unauthenticated attacker can exploit this vulnerability over the network without user interaction to gain unauthorized access, modify site data, or disrupt service. The vulnerability requires no special conditions and poses a critical risk to any WordPress site running the affected plugin.
What an attacker can do
03Attacker Capabilities
Read sensitive data, modify or delete site content, and disrupt site availability without authentication.
Potential impact on your site
04Site Impact
Attackers can compromise your entire WordPress site, steal customer data, modify products/orders, or take the site offline.
Conditions required to exploit
05Prerequisites
Network access only; no authentication, user interaction, or special configuration required.
Key dates
06Disclosure timeline
November 11, 2025
CVE published
April 8, 2026
Record updated