CVE-2026-57748 HIGH

CVE-2026-57748: WordPress Shopify plugin <= 1.0.0 - Local File Inclusion vulnerability

Vendor Shopify Help Center
Product Shopify
Weakness CWE-98 · PHP file inclusion
Published July 2, 2026
Last update July 2, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity High
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Contributor Local File Inclusion in Shopify <= 1.0.0 versions.

Explanation of Vulnerability in Simple Terms

02Summary

A low-privileged authenticated user can read, modify, or delete data in Shopify Help Center version 1.0.0 and earlier. The vulnerability requires network access and a valid user account but does not require user interaction. An attacker with low-level permissions can escalate their access to sensitive information and site functionality.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete data in the Help Center with a low-privilege user account.

Potential impact on your site

04Site Impact

Unauthorized data access, modification, or deletion by authenticated users with limited permissions.

Conditions required to exploit

05Prerequisites

Attacker must have a valid low-privilege user account; network access required.

Key dates

06Disclosure timeline

July 2, 2026 CVE published
July 2, 2026 Record updated