Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Incorrect Privilege Assignment vulnerability in StoreApps Smart Manager allows Privilege Escalation.
This issue affects Smart Manager: from n/a through 8.85.0.
AnalysisAI
Privilege escalation in the StoreApps Smart Manager WordPress plugin (versions up to and including 8.85.0) allows authenticated low-privilege users to elevate themselves to higher-privileged roles due to incorrect privilege assignment (CWE-266). The flaw was reported by Patchstack and carries a CVSS 3.1 score of 8.8, though there is no public exploit identified at time of analysis and EPSS is very low at 0.04%. Affected WooCommerce stores running this plugin should treat this as a meaningful internal-risk issue because any subscriber, customer, or shop-manager account could be leveraged to seize administrator control.
Technical ContextAI
Smart Manager (sold by StoreApps as 'Smart Manager for WP & WooCommerce', CPE cpe:2.3:a:storeapps:smart_manager) is a WordPress plugin that provides a spreadsheet-style admin dashboard for bulk editing posts, products, orders, users and other WordPress entities. The vulnerability falls under CWE-266 (Incorrect Privilege Assignment), meaning the plugin grants a user a privilege or capability they should not be entitled to - typically because a capability check (current_user_can) is missing, an AJAX/REST endpoint does not enforce the expected role, or user-supplied role/capability data is trusted when updating user objects. Because Smart Manager exposes write operations across WordPress core object types including the users table, a flaw in its role-handling logic can be turned directly into account-role manipulation.
RemediationAI
Upstream fix available per Patchstack advisory; a released patched version is not independently confirmed in the provided data, so administrators should upgrade Smart Manager to the latest release above 8.85.0 published by StoreApps and verify the version on the WordPress plugins page after update, consulting https://patchstack.com/database/wordpress/plugin/smart-manager-for-wp-e-commerce/vulnerability/wordpress-smart-manager-plugin-8-85-0-privilege-escalation-vulnerability for the exact fixed build. Until the patched version is applied, deactivate the Smart Manager plugin (this removes the bulk-management UI but does not break WooCommerce core functionality), or at minimum restrict access to wp-admin and the plugin's AJAX/REST endpoints via a WAF rule or .htaccess IP allowlist so that only trusted administrator IPs can reach them - note this breaks legitimate use by remote staff. Additionally, audit existing user accounts for unexpected role changes (especially recent promotions to administrator or shop_manager) and rotate credentials for any account whose role cannot be explained, and consider temporarily disabling open user registration to remove the PR:L precondition.
More in Smart Manager
View allThe Smart Manager WordPress plugin before 8.28.0 does not properly sanitise and escape a parameter before using it in a
Improper configuration in Smart Manager prior to version 11.0.05.0 allows attacker to access the file with system privil
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31767
GHSA-7mvm-5m6v-x45x