CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-7655

highCVSS 8.1covered by 1 sourcefirst seen 2026-07-11
The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to, and including, 4.2.3. This is due to the plugin not properly validating a user's identity prior to updating their details like email during customer profile synchronization from webhook events. This makes it possible for unauthenticated attackers to change linked user's email addresses, including administrators if the administrator account is linked to a SureCart customer record, and leverage that to reset the user's password and gain access to their account if the customer ID is known.

⚡ Watch CVE-2026-7655

Get an email if CVE-2026-7655 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Advisory coverage (1)

External references

NVD record for CVE-2026-7655

CVE.org record

Embed the live status

CVE-2026-7655 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-7655 status](https://www.csirts.com/badge/CVE-2026-7655)](https://www.csirts.com/cve/CVE-2026-7655)