Skip to main content

InfusedWoo Pro CVE-2026-6510

| EUVDEUVD-2026-30255 CRITICAL
Missing Authorization (CWE-862)
2026-05-14 Wordfence GHSA-jp9r-75g3-6qxr
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 08:20 vuln.today
CVE Published
May 14, 2026 - 06:44 nvd
CRITICAL 9.8

DescriptionCVE.org

The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and including, 5.1.2. This is due to missing nonce verification and capability checks in the iwar_save_recipe() AJAX handler. This makes it possible for unauthenticated attackers to create a malicious automation recipe that pairs an HTTP post trigger with an auto-login action, allowing any unauthenticated visitor to visit a crafted URL and receive authentication cookies for any targeted user account (e.g., administrator), achieving complete authentication bypass and privilege escalation.

AnalysisAI

Authentication bypass and privilege escalation in the InfusedWoo Pro WordPress plugin (versions through 5.1.2) lets unauthenticated remote attackers seize administrator accounts by abusing the iwar_save_recipe() AJAX handler. Because the endpoint lacks nonce verification and capability checks, attackers can plant a malicious automation recipe that chains an HTTP post trigger with an auto-login action, so visiting a crafted URL returns valid authentication cookies for any chosen user. Reported by Wordfence with a CVSS of 9.8; no public exploit identified at time of analysis, and EPSS sits at 0.19% (40th percentile) despite the SSVC assessment of total technical impact and automatable exploitation.

Technical ContextAI

The vulnerability resides in InfusedWoo Pro (CPE cpe:2.3:a:infused_addons:infusedwoo_pro), a WordPress plugin that extends WooCommerce with automation 'recipes' linking triggers (such as HTTP posts) to actions (such as auto-logging in a user). The root cause is CWE-862 (Missing Authorization): the iwar_save_recipe() AJAX callback is registered without a corresponding capability check or WordPress nonce verification, and is likely exposed via the wp_ajax_nopriv_ hook that makes AJAX endpoints reachable to unauthenticated visitors. Because recipe definitions are arbitrary attacker-controlled JSON-like structures persisted server-side, an attacker can both write a new recipe and define its action (auto-login), effectively turning a legitimate administrative automation feature into an authentication oracle.

RemediationAI

No vendor-released patch identified at time of analysis - the references do not cite a fixed version, so monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/08cb8ba1-1976-438b-8e0b-0a8be08aad6c) and https://woo.infusedaddons.com/ for an update beyond 5.1.2 and apply it as soon as published. In the interim, deactivate and remove InfusedWoo Pro entirely if the automation features are non-critical (most direct mitigation; side effect is loss of any in-place automation recipes), or use a WAF/edge rule to block POST requests to /wp-admin/admin-ajax.php where the action parameter equals iwar_save_recipe from unauthenticated sources (side effect: legitimate admin-initiated recipe saves from the WordPress dashboard may also be blocked if they ride the nopriv path). Restrict access to wp-admin/admin-ajax.php by IP allowlist for the affected action where feasible, and audit existing recipes plus the users table for unexpected administrator accounts or auto-login configurations created since the plugin was installed.

Share

CVE-2026-6510 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy