WordPress Plugin Vulnerabilities

Smart Manager < 8.46.0 - Missing Authorization

Description

The Smart Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the update_to_pro() function in versions up to, and including, 8.45.0. This makes it possible for authenticated attackers, with subscriber-level access and above, to upgrade the plugin to pro.

Affects Plugins

Plugin icon
smart-manager-for-wp-e-commerce
Fixed in 8.46.0

References

CVE
CVE-2024-49687
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/9c53faf5-a6a6-4eb9-ad82-31873c0a6282

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Ananda Dhakal
Verified
No
WPVDB ID
d6165dd9-ab71-4b67-9d7e-72e8107211ec

Timeline

Publicly Published
2024-10-21 (about 1 year ago)
Added
2024-10-30 (about 1 year ago)
Last Updated
2024-10-30 (about 1 year ago)

Other

Published
Title
Published
2023-12-26
Title
All-in-one Floating Contact Form < 2.1.4 - Unauthenticated Unauthorised Action
Published
2025-06-25
Title
Post Carousel Slider for Elementor < 1.7.0 - Authenticated (Subscriber+) Missing Authorization via process_wbelps_promo_form Function
Published
2025-08-29
Title
Blog Designer PRO <= 3.4.8 - Missing Authorization
Published
2024-12-14
Title
Order Delivery & Pickup Location Date Time ( Free Version ) <= 1.1.0 - Missing Authorization to Unauthenticated Settings Update
Published
2025-06-19
Title
Video List Manager <= 1.7 - Missing Authorization