Ecwid by Lightspeed Ecommerce Shopping Cart
Moderate fix1 remedy
cpe:2.3:a:lightspeedhq:ecwid_ecommerce_shopping_cart:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 7.0.7
Ecwid by Lightspeed Ecommerce Shopping Cart Privilege Escalation Vulnerability
Vulnerability
Patched
A privilege escalation vulnerability has been identified in the Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress, affecting all versions through 7.0.7. The issue arises from a missing capability check in the 'save_custom_user_profile_fields' function, allowing authenticated attackers with minimal permissions, such as subscribers, to manipulate the 'ec_store_admin_access' parameter during profile updates. This exploitation grants them unauthorized access to the store manager role on the site.
Impact
Exploitation of this vulnerability allows authenticated users with subscriber-level permissions to escalate their privileges to that of a store manager, gaining access to additional administrative capabilities within the WordPress site.
Remediation
Users are advised to update the Ecwid by Lightspeed Ecommerce Shopping Cart plugin to version 7.0.8 or a newer patched version.
Added: Feb 15, 2026, 4:22 AM
Updated: Feb 15, 2026, 4:22 AM
Vulnerability Rating
Custom Algorithm
spread
5.2impact
5.0exploitability
6.1remediation
7.7relevance
3.0threat
3.2urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.