CVE-2026-24613 MEDIUM

CVE-2026-24613: WordPress Ecwid Shopping Cart plugin <= 7.0.6 - Broken Access Control vulnerability

Vendor Ecwid By Lightspeed Ecommerce Shopping Cart

Product Ecwid Shopping Cart

Weakness CWE-862 · Missing authorization

Published January 23, 2026

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

5.3/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Missing Authorization vulnerability in Ecwid by Lightspeed Ecommerce Shopping Cart Ecwid Shopping Cart ecwid-shopping-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ecwid Shopping Cart: from n/a through <= 7.0.6.

Key dates

02Disclosure timeline

January 23, 2026 CVE published

April 28, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-24613

Related vulnerabilities

04Related CVE

CVE-2025-12574 Listar – Directory Listing & Classifieds WordPress Plugin <= 3.0.0 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Post Deletion CVE-2023-2556 WPCS – WordPress Currency Switcher Professional <= 1.1.9 - Missing Authorization to Arbitrary Custom Drop-Down Currency Switcher Deletion CVE-2024-37202 WordPress Ultimate Custom Add To Cart Button (Ajax) For WooCommerce by Binary Carpenter plugin <= 1.222.17 - Broken Access Control to XSS vulnerability CVE-2026-32437 WordPress VW Portfolio theme <= 1.3.3 - Broken Access Control vulnerability CVE-2024-43158 WordPress Masteriyo LMS plugin <= 1.11.4 - Broken Access Control vulnerability

Identifiers

CVE CVE-2026-24613

CWE CWE-862

CVSS 5.3 / MEDIUM

Affected versions

Vendor Ecwid By Lightspeed Ecommerce Shopping Cart

Product Ecwid Shopping Cart

Affected ≤ 7.0.6