CVE-2026-6506 - Vulnerability Details

- InfusedWoo Pro <= 5.1.2 - Authenticated (Subscriber+) Missing Authorization to Privilege Escalation via Arbitrary User Meta Update

Description

The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.1.2. This is due to the infusedwoo_gdpr_upddata() function missing authorization and capability checks, as well as lacking restrictions on which user meta keys can be updated. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their own wp_capabilities user meta to grant themselves Administrator role privileges.

Published: 2026-05-14

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from an authorization check missing in the infusedwoo_gdpr_upddata() function, allowing authenticated users with subscriber level or higher to update their own wp_capabilities user meta key. This flaw permits an attacker to grant themselves the Administrator role, effectively taking full control of the WordPress site. The weakness is identified as Missing Authorization, mapping to CWE-862.

Affected Systems

WordPress sites running Infused Woo Pro plugin, versions 5.1.2 and earlier, distributed by Infused Addons.

Risk and Exploitability

The CVSS score of 8.8 reflects a high severity, and the EPSS information is currently unavailable. The vulnerability is not listed in CISA's KEV catalog. The likely attack path requires the attacker to first authenticate to the site with at least subscriber privileges, then invoke the vulnerable function to overwrite the wp_capabilities meta, elevating the account to Administrator.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Infused Addons

InfusedWoo Pro

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.1.2

No data.

Vendor Product Confidence Versions

Infused Addons

Infusedwoo Pro

100%

Version	Status	Scheme	Platform
`[0,5.1.2]`	affected	generic	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade InfusedWoo Pro to version 5.1.3 or later, which removes the flawed function and adds proper capability checks.
If an upgrade is not immediately possible, restrict the plugin’s ability to modify wp_capabilities by implementing a custom filter or using a web‑application firewall rule that blocks writes to the wp_capabilities meta for non‑administrator users.
Monitor the user_meta and capabilities tables for any unauthorized changes, and enforce logging of capability updates to detect and respond to suspicious activity.

Generated by OpenCVE AI on May 14, 2026 at 08:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00041.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://drive.google.com/file/d/1QrKLX-GcBiAMKzEI4mZBPO-S0_7W6Xv7/view?usp=sharing
https://woo.infusedaddons.com/
https://www.wordfence.com/threat-intel/vulnerabilities/id/6363b693-91b8-41cb-b13a-df6fdf9402c5?source=cve

History

Thu, 14 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Infused Addons Infused Addons infusedwoo Pro Wordpress Wordpress wordpress
Vendors & Products		Infused Addons Infused Addons infusedwoo Pro Wordpress Wordpress wordpress

Thu, 14 May 2026 11:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Thu, 14 May 2026 07:00:00 +0000

Type	Values Removed	Values Added
Description		The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.1.2. This is due to the infusedwoo_gdpr_upddata() function missing authorization and capability checks, as well as lacking restrictions on which user meta keys can be updated. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their own wp_capabilities user meta to grant themselves Administrator role privileges.
Title		InfusedWoo Pro <= 5.1.2 - Authenticated (Subscriber+) Missing Authorization to Privilege Escalation via Arbitrary User Meta Update
Weaknesses		CWE-862
References		https://drive.google.com/file/d/1QrKLX-GcBiAMKzEI4mZBPO-S0_7W6Xv7/view?usp=sharing https://woo.infusedaddons.com/ https://www.wordfence.com/threat-intel/vulnerabilities/id/6363b693-91b8-41cb-b13a-df6fdf9402c5?source=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Infused Addons Infusedwoo Pro

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-14T06:44:11.474Z

Updated: 2026-05-14T10:44:42.620Z

Reserved: 2026-04-17T11:18:27.211Z

Link: CVE-2026-6506

Vulnrichment

Updated: 2026-05-14T10:44:37.585Z

NVD

Status : Deferred

Published: 2026-05-14T07:16:20.817

Modified: 2026-05-14T14:28:41.283

Link: CVE-2026-6506

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T14:32:53Z

Weaknesses

CWE-862
Missing Authorization

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object