Description
The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and including, 5.1.2. This is due to missing nonce verification and capability checks in the iwar_save_recipe() AJAX handler. This makes it possible for unauthenticated attackers to create a malicious automation recipe that pairs an HTTP post trigger with an auto-login action, allowing any unauthenticated visitor to visit a crafted URL and receive authentication cookies for any targeted user account (e.g., administrator), achieving complete authentication bypass and privilege escalation.
Published: 2026-05-14
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The InfusedWoo Pro plugin for WordPress is vulnerable because its iwar_save_recipe AJAX handler lacks nonce verification and capability checks. This flaw allows an unauthenticated attacker to fabricate a recipe that triggers an auto‑login action, causing any visitor to receive authentication cookies for a privileged account such as an administrator. The result is a complete authentication bypass and the ability to compromise the site with full administrative privileges.

Affected Systems

Infused Addons: InfusedWoo Pro plugin for WordPress, affecting all released versions up to and including 5.1.2. Any WordPress installation that has this plugin installed and has the vulnerable version running is at risk.

Risk and Exploitability

With a CVSS score of 9.8 the vulnerability is rated critical. The EPSS score is not available, and the vulnerability is not yet listed in the CISA KEV catalog. An attacker can exploit it simply by visiting a crafted URL targeting the iwar_save_recipe AJAX endpoint, which is accessible to unauthenticated users. The attack requires no prior knowledge of site credentials and can be performed remotely via an HTTP request.

Generated by OpenCVE AI on May 14, 2026 at 08:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update InfusedWoo Pro to the latest version that includes the missing authorization fix.
  • If an update is not immediately available, restrict access to the iwar_save_recipe AJAX endpoint so that only authenticated users can invoke it, for example by adding a firewall rule or modifying the .htaccess file to limit access to logged‑in users.
  • Audit the WordPress installation for additional custom AJAX handlers that lack nonce verification or capability checks and apply the same remediation to those endpoints.

Generated by OpenCVE AI on May 14, 2026 at 08:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 07:00:00 +0000

Type Values Removed Values Added
Description The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and including, 5.1.2. This is due to missing nonce verification and capability checks in the iwar_save_recipe() AJAX handler. This makes it possible for unauthenticated attackers to create a malicious automation recipe that pairs an HTTP post trigger with an auto-login action, allowing any unauthenticated visitor to visit a crafted URL and receive authentication cookies for any targeted user account (e.g., administrator), achieving complete authentication bypass and privilege escalation.
Title InfusedWoo Pro <= 5.1.2 - Unauthenticated Missing Authorization to Privilege Escalation via 'iwar_save_recipe'
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-14T06:44:09.705Z

Reserved: 2026-04-17T11:55:02.641Z

Link: CVE-2026-6510

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-14T07:16:21.127

Modified: 2026-05-14T07:16:21.127

Link: CVE-2026-6510

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T08:30:16Z

Weaknesses