The SureCart plugin for WordPress is vulnerable to privilege escalation via account takeover in versions up to, and including, 4.2.3. This is due to the plugin not properly validating a user's identity prior to updating their details like email during customer profile synchronization from webhook events. This makes it possible for unauthenticated attackers to change linked user's email addresses, including administrators if the administrator account is linked to a SureCart customer record, and leverage that to reset the user's password and gain access to their account if the customer ID is known.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
The SureCart WordPress plugin versions up to 4.2.3 contain a critical privilege escalation vulnerability (CVE-2026-7655, CVSS 8.1) that allows unauthenticated attackers to take over user accounts by modifying email addresses during webhook-triggered customer profile synchronization. The vulnerability stems from inadequate identity validation when processing profile updates, meaning an attacker can intercept or manipulate webhook events to change the email address associated with any linked account—including administrator accounts. This directly impacts WordPress sites using SureCart for e-commerce, customer management, or subscription handling, as successful exploitation grants full account control without requiring authentication credentials.
While this CVE currently maps to zero Casky.ai skills and lacks associated MITRE ATT&CK techniques, practitioners using Casky's Claude-powered reasoning engine would detect the attack patterns through behavioral anomaly analysis. Security teams should monitor for webhook processing anomalies, unexpected account credential changes (particularly email modifications on privileged accounts), and suspicious profile synchronization events that occur without corresponding user sessions. Detection would focus on identifying unauthenticated requests triggering account modifications, unusual webhook payload structures, and secondary indicators such as account recovery emails sent to unexpected addresses. Although no direct ATT&CK mapping exists, this attack aligns with T1078 (Valid Accounts) and T1098 (Account Manipulation) patterns, and practitioners should implement webhook signature validation, require re-authentication for sensitive account changes, and monitor SureCart plugin logs for anomalous synchronization activity.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-7655. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation