CVE-2026-42776 WP Sunshine CVE debrief

Who should care

WordPress site administrators using the Sunshine Photo Cart plugin, security teams managing WordPress installations, and developers implementing access control in WordPress plugins

Technical summary

The Sunshine Photo Cart WordPress plugin by WP Sunshine contains a Missing Authorization vulnerability (CWE-862) that permits exploitation of incorrectly configured access control security levels. The vulnerability is present in all versions through 3.6.7. The CVSS 3.1 score of 6.3 (Medium) reflects network accessibility, low attack complexity, low privilege requirements, and partial impacts to confidentiality, integrity, and availability. The NVD entry status is currently 'Deferred', indicating the vulnerability is under review or awaiting additional analysis.

Defensive priority

medium

Recommended defensive actions

• Update Sunshine Photo Cart plugin to a version newer than 3.6.7 when available
• Review WordPress user role permissions and access controls for photo cart functionality
• Monitor for unauthorized access attempts to photo cart administrative functions
• Apply principle of least privilege for WordPress user accounts
• Review Patchstack advisory for specific affected endpoints and configuration guidance

Evidence notes

CVE description identifies WP Sunshine Sunshine Photo Cart as the affected product with versions through 3.6.7 impacted. CVSS 3.1 vector indicates network attack vector with low attack complexity, low privileges required, and impacts to confidentiality, integrity, and availability. NVD status is 'Deferred' as of the last modified date. Patchstack reference provides additional technical context. Vendor identification is marked as low confidence with review needed based on reference domain analysis.

Official resources