PatchSiren cyber security CVE debrief
CVE-2026-45216 StoreApps CVE debrief
CVE-2026-45216 is a HIGH severity (CVSS 8.8) Incorrect Privilege Assignment vulnerability in StoreApps Smart Manager, a WordPress plugin. The vulnerability allows authenticated attackers with low privileges to escalate their privileges, potentially gaining full administrative control. The issue affects all versions from n/a through 8.85.0. The vulnerability was published in the NVD on May 25, 2026, with a subsequent modification on May 26, 2026. The weakness is classified as CWE-266 (Incorrect Privilege Assignment). The vendor attribution is currently marked as needing review with low confidence, based on reference domain analysis pointing to Patchstack as the source. No known exploitation in ransomware campaigns has been reported, and this CVE is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Vendor
- StoreApps
- Product
- Smart Manager
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-25
- Original CVE updated
- 2026-05-26
- Advisory published
- 2026-05-25
- Advisory updated
- 2026-05-26
Who should care
WordPress site administrators using StoreApps Smart Manager plugin; security teams managing WordPress installations; managed service providers hosting WordPress environments; compliance officers tracking vulnerability remediation timelines
Technical summary
The Smart Manager plugin for WordPress contains an Incorrect Privilege Assignment vulnerability (CWE-266) that enables authenticated users with low privileges to escalate to higher privilege levels. The CVSS 3.1 score of 8.8 reflects network attack vector, low attack complexity, low privileges required, no user interaction needed, and high impact across confidentiality, integrity, and availability. The vulnerability exists in code paths handling privilege checks, where insufficient validation allows privilege boundary violations.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade StoreApps Smart Manager to a version newer than 8.85.0 if available
- Verify plugin version through WordPress admin dashboard or file system inspection
- Review user role assignments and capabilities for unexpected privilege grants
- Monitor WordPress audit logs for suspicious privilege escalation activity
- Consider temporarily disabling the plugin if patching is not immediately feasible and the functionality is not critical
- Apply principle of least privilege for all WordPress user accounts
Evidence notes
CVSS 3.1 vector: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. CWE-266 identified as primary weakness. Affected versions confirmed through 8.85.0. Vendor attribution confidence is low and flagged for review.
Official resources
-
CVE-2026-45216 CVE record
CVE.org
-
CVE-2026-45216 NVD detail
NVD
-
Source item URL
nvd_modified
- Mitigation or vendor reference
The vulnerability was disclosed through Patchstack and subsequently entered into the National Vulnerability Database. The NVD entry status is currently 'Deferred', indicating the record may be awaiting additional analysis or vendor response