CVE-2026-45216

Vulnerability

The Smart Manager plugin for WordPress, versions from n/a through 8.85.0, contains an Incorrect Privilege Assignment vulnerability. This allows users with low privileges (e.g., subscribers or contributors) to escalate their role to one with higher privileges, potentially reaching administrator level. The bug resides in the plugin's privilege handling logic and requires no special configuration beyond a standard WordPress installation with the vulnerable plugin activated [1].

Exploitation

An attacker must have a valid WordPress user account with low-level privileges (e.g., subscriber, contributor, or author). No additional network position or authentication is required beyond possession of such an account. The attacker can trigger the privilege escalation by sending crafted requests that exploit the incorrect privilege assignment, without requiring user interaction from administrators [1].

Impact

Successful exploitation allows the attacker to escalate their account to a higher privileged role, such as administrator. This grants full control over the WordPress site, including the ability to modify content, install plugins, change themes, manage users, and access sensitive data. The impact is a complete compromise of confidentiality, integrity, and availability of the affected WordPress instance [1].

Mitigation

The vulnerability is fixed in Smart Manager version 8.86.0, released according to the advisory [1]. Users should update to version 8.86.0 or later immediately. As a temporary workaround, Patchstack provides a mitigation rule that blocks exploitation attempts until the update is applied [1]. The plugin is actively targeted in mass-exploit campaigns, making prompt updating critical.