Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.1.2. This is due to the infusedwoo_gdpr_upddata() function missing authorization and capability checks, as well as lacking restrictions on which user meta keys can be updated. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their own wp_capabilities user meta to grant themselves Administrator role privileges.
AnalysisAI
Privilege escalation in the InfusedWoo Pro WordPress plugin (versions through 5.1.2) allows authenticated subscriber-level users to elevate themselves to Administrator by abusing the unprotected infusedwoo_gdpr_upddata() function to overwrite their wp_capabilities user meta. No public exploit identified at time of analysis, EPSS is very low (0.04%), and the issue is not listed in CISA KEV, but the technical impact is total once the simple authentication prerequisite is met.
Technical ContextAI
InfusedWoo Pro is a commercial WordPress/WooCommerce add-on from Infused Addons (CPE cpe:2.3:a:infused_addons:infusedwoo_pro). The root cause is CWE-862 (Missing Authorization): the AJAX/handler endpoint infusedwoo_gdpr_upddata() - ostensibly a GDPR data update helper - neither verifies the caller's capability (e.g., current_user_can()) nor restricts which user_meta keys may be written. In WordPress, the wp_capabilities user meta is the canonical store of a user's role assignments, so any code path that lets an arbitrary authenticated user write to arbitrary meta keys collapses the entire role/capability model.
RemediationAI
No vendor-released patch version is independently confirmed in the available data, so the primary action is to monitor the vendor (https://woo.infusedaddons.com/) and the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/6363b693-91b8-41cb-b13a-df6fdf9402c5?source=cve) for a release above 5.1.2 and upgrade as soon as it appears. Until then, deactivate the InfusedWoo Pro plugin if its GDPR data-update functionality is not in active use (trade-off: loss of GDPR self-service features); if it must remain enabled, disable open user registration (Settings → General → uncheck "Anyone can register") to remove the subscriber-level prerequisite, restrict access to /wp-admin/admin-ajax.php for the infusedwoo_gdpr_upddata action via a WAF rule or mu-plugin shim that enforces current_user_can('manage_options'), and audit existing users for unexpected administrator role assignments and recent wp_usermeta changes to meta_key='wp_capabilities'. Note that WAF action-name filtering can be brittle if the vendor renames the handler in a fix release, so revisit rules after upgrading.
More in Infusedwoo Pro
View allSame weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30254
GHSA-46r5-fg25-pxgj