Skip to main content

InfusedWoo Pro CVE-2026-6506

| EUVDEUVD-2026-30254 HIGH
Missing Authorization (CWE-862)
2026-05-14 Wordfence GHSA-46r5-fg25-pxgj
8.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 08:50 vuln.today
CVE Published
May 14, 2026 - 06:44 nvd
HIGH 8.8

DescriptionCVE.org

The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.1.2. This is due to the infusedwoo_gdpr_upddata() function missing authorization and capability checks, as well as lacking restrictions on which user meta keys can be updated. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their own wp_capabilities user meta to grant themselves Administrator role privileges.

AnalysisAI

Privilege escalation in the InfusedWoo Pro WordPress plugin (versions through 5.1.2) allows authenticated subscriber-level users to elevate themselves to Administrator by abusing the unprotected infusedwoo_gdpr_upddata() function to overwrite their wp_capabilities user meta. No public exploit identified at time of analysis, EPSS is very low (0.04%), and the issue is not listed in CISA KEV, but the technical impact is total once the simple authentication prerequisite is met.

Technical ContextAI

InfusedWoo Pro is a commercial WordPress/WooCommerce add-on from Infused Addons (CPE cpe:2.3:a:infused_addons:infusedwoo_pro). The root cause is CWE-862 (Missing Authorization): the AJAX/handler endpoint infusedwoo_gdpr_upddata() - ostensibly a GDPR data update helper - neither verifies the caller's capability (e.g., current_user_can()) nor restricts which user_meta keys may be written. In WordPress, the wp_capabilities user meta is the canonical store of a user's role assignments, so any code path that lets an arbitrary authenticated user write to arbitrary meta keys collapses the entire role/capability model.

RemediationAI

No vendor-released patch version is independently confirmed in the available data, so the primary action is to monitor the vendor (https://woo.infusedaddons.com/) and the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/6363b693-91b8-41cb-b13a-df6fdf9402c5?source=cve) for a release above 5.1.2 and upgrade as soon as it appears. Until then, deactivate the InfusedWoo Pro plugin if its GDPR data-update functionality is not in active use (trade-off: loss of GDPR self-service features); if it must remain enabled, disable open user registration (Settings → General → uncheck "Anyone can register") to remove the subscriber-level prerequisite, restrict access to /wp-admin/admin-ajax.php for the infusedwoo_gdpr_upddata action via a WAF rule or mu-plugin shim that enforces current_user_can('manage_options'), and audit existing users for unexpected administrator role assignments and recent wp_usermeta changes to meta_key='wp_capabilities'. Note that WAF action-name filtering can be brittle if the vendor renames the handler in a fix release, so revisit rules after upgrading.

Share

CVE-2026-6506 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy