Description
The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.1.2. This is due to the infusedwoo_gdpr_upddata() function missing authorization and capability checks, as well as lacking restrictions on which user meta keys can be updated. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their own wp_capabilities user meta to grant themselves Administrator role privileges.
Published: 2026-05-14
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from an authorization check missing in the infusedwoo_gdpr_upddata() function, allowing authenticated users with subscriber level or higher to update their own wp_capabilities user meta key. This flaw permits an attacker to grant themselves the Administrator role, effectively taking full control of the WordPress site. The weakness is identified as Missing Authorization, mapping to CWE-862.

Affected Systems

WordPress sites running Infused Woo Pro plugin, versions 5.1.2 and earlier, distributed by Infused Addons.

Risk and Exploitability

The CVSS score of 8.8 reflects a high severity, and the EPSS information is currently unavailable. The vulnerability is not listed in CISA's KEV catalog. The likely attack path requires the attacker to first authenticate to the site with at least subscriber privileges, then invoke the vulnerable function to overwrite the wp_capabilities meta, elevating the account to Administrator.

Generated by OpenCVE AI on May 14, 2026 at 08:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade InfusedWoo Pro to version 5.1.3 or later, which removes the flawed function and adds proper capability checks.
  • If an upgrade is not immediately possible, restrict the plugin’s ability to modify wp_capabilities by implementing a custom filter or using a web‑application firewall rule that blocks writes to the wp_capabilities meta for non‑administrator users.
  • Monitor the user_meta and capabilities tables for any unauthorized changes, and enforce logging of capability updates to detect and respond to suspicious activity.

Generated by OpenCVE AI on May 14, 2026 at 08:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 07:00:00 +0000

Type Values Removed Values Added
Description The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.1.2. This is due to the infusedwoo_gdpr_upddata() function missing authorization and capability checks, as well as lacking restrictions on which user meta keys can be updated. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their own wp_capabilities user meta to grant themselves Administrator role privileges.
Title InfusedWoo Pro <= 5.1.2 - Authenticated (Subscriber+) Missing Authorization to Privilege Escalation via Arbitrary User Meta Update
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-14T06:44:11.474Z

Reserved: 2026-04-17T11:18:27.211Z

Link: CVE-2026-6506

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-14T07:16:20.817

Modified: 2026-05-14T07:16:20.817

Link: CVE-2026-6506

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T08:30:16Z

Weaknesses