Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Network-reachable wp-admin endpoint (AV:N/AC:L), requires an existing shop_manager account (PR:H), no victim interaction (UI:N), and full admin takeover yields C:H/I:H/A:H within the same WordPress instance (S:U).
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Shop manager Privilege Escalation in WooCommerce Cart Abandonment Recovery < 2.1.0 versions.
AnalysisAI
Privilege escalation in the WooCommerce Cart Abandonment Recovery WordPress plugin before version 2.1.0 allows an authenticated shop manager to elevate privileges beyond their intended role on affected WordPress sites. The flaw, tracked as CWE-266 (Incorrect Privilege Assignment), carries a CVSS 7.2 (High) score and has a vendor-released patch in 2.1.0, with no public exploit identified at time of analysis.
Technical ContextAI
The affected component is the WooCommerce Cart Abandonment Recovery plugin (CPE cpe:2.3:a:brainstorm_force:woocommerce_cart_abandonment_recovery), a Brainstorm Force / Cartflows WordPress extension for WooCommerce that tracks abandoned carts and triggers recovery emails. The root cause class is CWE-266 (Incorrect Privilege Assignment), meaning the plugin assigns or accepts a privilege level that exceeds what the calling user's WordPress role should permit. In WordPress, the shop_manager role is intentionally scoped to product/order management and should not be able to reach administrator-only capabilities; a CWE-266 flaw in a plugin endpoint typically arises from missing or mis-scoped current_user_can() checks, role/capability mapping errors, or trusting client-supplied role data in an AJAX/REST handler.
RemediationAI
Vendor-released patch: upgrade the WooCommerce Cart Abandonment Recovery plugin to version 2.1.0 or later via the WordPress plugin updater on every affected site, per the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/woo-cart-abandonment-recovery/vulnerability/wordpress-woocommerce-cart-abandonment-recovery-plugin-2-1-0-privilege-escalation-vulnerability. If immediate patching is not possible, deactivate and remove the plugin until it can be updated (this disables abandoned-cart recovery emails and tracking, so revenue-recovery campaigns will pause); alternatively, temporarily reduce or revoke the shop_manager role from non-essential users and audit recent administrator account creations and capability changes, accepting that this restricts day-to-day store operations for those accounts. As a network-layer compensating control, restrict /wp-admin and the plugin's AJAX/REST endpoints to known IP ranges via the web server or WAF, noting this can block legitimate remote staff.
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36934
GHSA-rwg3-rwpr-5x3m