Skip to main content

Smart Manager CVE-2026-45216

| EUVDEUVD-2026-31767 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-05-25 Patchstack GHSA-7mvm-5m6v-x45x
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 08, 2026 - 09:45 vuln.today

DescriptionCVE.org

Incorrect Privilege Assignment vulnerability in StoreApps Smart Manager allows Privilege Escalation.

This issue affects Smart Manager: from n/a through 8.85.0.

AnalysisAI

Privilege escalation in the StoreApps Smart Manager WordPress plugin (versions up to and including 8.85.0) allows authenticated low-privilege users to elevate themselves to higher-privileged roles due to incorrect privilege assignment (CWE-266). The flaw was reported by Patchstack and carries a CVSS 3.1 score of 8.8, though there is no public exploit identified at time of analysis and EPSS is very low at 0.04%. Affected WooCommerce stores running this plugin should treat this as a meaningful internal-risk issue because any subscriber, customer, or shop-manager account could be leveraged to seize administrator control.

Technical ContextAI

Smart Manager (sold by StoreApps as 'Smart Manager for WP & WooCommerce', CPE cpe:2.3:a:storeapps:smart_manager) is a WordPress plugin that provides a spreadsheet-style admin dashboard for bulk editing posts, products, orders, users and other WordPress entities. The vulnerability falls under CWE-266 (Incorrect Privilege Assignment), meaning the plugin grants a user a privilege or capability they should not be entitled to - typically because a capability check (current_user_can) is missing, an AJAX/REST endpoint does not enforce the expected role, or user-supplied role/capability data is trusted when updating user objects. Because Smart Manager exposes write operations across WordPress core object types including the users table, a flaw in its role-handling logic can be turned directly into account-role manipulation.

RemediationAI

Upstream fix available per Patchstack advisory; a released patched version is not independently confirmed in the provided data, so administrators should upgrade Smart Manager to the latest release above 8.85.0 published by StoreApps and verify the version on the WordPress plugins page after update, consulting https://patchstack.com/database/wordpress/plugin/smart-manager-for-wp-e-commerce/vulnerability/wordpress-smart-manager-plugin-8-85-0-privilege-escalation-vulnerability for the exact fixed build. Until the patched version is applied, deactivate the Smart Manager plugin (this removes the bulk-management UI but does not break WooCommerce core functionality), or at minimum restrict access to wp-admin and the plugin's AJAX/REST endpoints via a WAF rule or .htaccess IP allowlist so that only trusted administrator IPs can reach them - note this breaks legitimate use by remote staff. Additionally, audit existing user accounts for unexpected role changes (especially recent promotions to administrator or shop_manager) and rotate credentials for any account whose role cannot be explained, and consider temporarily disabling open user registration to remove the PR:L precondition.

Share

CVE-2026-45216 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy