CVE-2026-7655 HIGH

CVE-2026-7655: SureCart <= 4.2.3 - Unauthenticated Linked WordPress Account Takeover via Forged customer.updated Webhook

Vendor Surecart
Product SureCart – Ecommerce Made Easy For Selling Physical Products, Digital Downloads, Subscriptions, Donations, & Payments
Weakness CWE-640 · Weak password recovery
Published July 11, 2026
Last update July 11, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to, and including, 4.2.3. This is due to the plugin not properly validating a user's identity prior to updating their details like email during customer profile synchronization from webhook events. This makes it possible for unauthenticated attackers to change linked user's email addresses, including administrators if the administrator account is linked to a SureCart customer record, and leverage that to reset the user's password and gain access to their account if the customer ID is known.

Explanation of Vulnerability in Simple Terms

02Summary

SureCart versions up to 4.2.3 contain a vulnerability that allows an attacker to read sensitive data, modify site content, or disrupt service availability. The attack requires network access and high technical complexity but no authentication or user interaction. This affects the core ecommerce functionality and could compromise customer data or payment information.

What an attacker can do

03Attacker Capabilities

Read sensitive data, modify site content, or disrupt service availability without authentication.

Potential impact on your site

04Site Impact

Customer data, payment information, and site integrity may be compromised; service availability may be disrupted.

Conditions required to exploit

05Prerequisites

Network access and high technical complexity to exploit; no authentication or user interaction required.

Key dates

06Disclosure timeline

July 11, 2026 CVE published

Related vulnerabilities

08Related CVE