WordPress Plugin Vulnerabilities

Wholesale Suite < 2.2.7 - Authenticated (Shop Manager) Privilege Escalation

Description

The Wholesale Suite – B2B, Dynamic Pricing & WooCommerce Wholesale Prices plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.2.6.This makes it possible for authenticated attackers, with Shop Manager-level access and above, to elevate their privileges to that of an administrator.

Affects Plugins

Plugin icon
woocommerce-wholesale-prices
Fixed in 2.2.7

References

CVE
CVE-2026-27541
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/2942644d-c330-4ec0-ab1d-64b3044d5a87

Classification

Type
PRIVESC
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-269
CVSS
7.2 (high)

Miscellaneous

Original Researcher
Teemu Saarentaus
Verified
No
WPVDB ID
eb4abcc8-6051-41a7-b3af-b683cd86d9cd

Timeline

Publicly Published
2026-02-20 (about 3 months ago)
Added
2026-02-25 (about 3 months ago)
Last Updated
2026-03-06 (about 2 months ago)

Other

Published
Title
Published
2026-01-21
Title
Hydra Booking < 1.1.33 - Unauthenticated Privilege Escalation
Published
2023-08-08
Title
Biometric Login for WooCommerce < 1.0.4 - Unauthenticated Privilege Escalation
Published
2026-03-20
Title
RewardsWP < 1.0.5 - Unauthenticated Privilege Escalation
Published
2025-03-06
Title
School Management System for Wordpress <= 93.0.0 - Student+ Account Takeover and Privilege Escalation
Published
2025-05-22
Title
Simple Business Directory Pro <= 15.4.8 - Unauthenticated Privilege Escalation