Wordpress RCE (CVE-2026-1750)

Vendor-confirmed - CVE-2026-1750 is a high privilege escalation in Ecwid by Lightspeed Ecommerce Shopping Cart for WordPress versions up to 7.0.7 that lets any subscriber-level user grant themselves store manager access via a crafted profile update. Update to version 7.0.8 or higher to patch the missing access check.

Overview

A critical security vulnerability has been identified in the Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress. This flaw allows users with very basic permissions to escalate their privileges to a powerful store manager role, potentially taking full administrative control of the site’s ecommerce functions.

Vulnerability Explained

In simple terms, the plugin contains a function designed to save user profile information. This function is missing a critical security check to verify if a user is allowed to assign administrative store access.

Because of this oversight, any logged-in user, even one with the lowest “subscriber” role, can send a specially crafted request when updating their profile. By adding a specific parameter (ec_store_admin_access), they can grant themselves “store manager” privileges. This bypasses all intended permission controls within the plugin.

Potential Impact

The impact of this vulnerability is severe. A successful exploit would allow an attacker to:

• Gain unauthorized access to the store’s management dashboard.
• View, modify, or steal sensitive customer data, including orders and personal information.
• Tamper with products, inventory, and pricing.
• Intercept or manipulate financial transactions.
• Use the compromised store manager account as a foothold for further attacks on the website.

This poses a direct threat to business operations, revenue, and customer privacy, and could lead to significant reputational damage.

Remediation and Mitigation Steps

Immediate action is required to secure affected websites.

1. Update Immediately: The primary and most critical step is to update the Ecwid by Lightspeed Ecommerce Shopping Cart plugin to version 7.0.8 or higher. The plugin developers have released a patch that adds the proper capability check to fix this flaw.
2. Verify User Roles: Site administrators should audit their user lists, particularly focusing on accounts with “store manager” or administrator roles. Look for any recently modified or suspicious accounts that may have been created via exploitation.
3. Apply Principle of Least Privilege: Review and ensure all users, especially subscribers and customers, have only the minimum permissions necessary for their role.
4. Monitor for Suspicious Activity: Keep an eye on website and server logs for any unusual profile update requests or unexpected administrative actions from low-privilege user accounts.

Note: If you are unable to update the plugin immediately, consider disabling it until the update can be safely applied, bearing in mind this will render the shopping cart non-functional.