CVE-2026-6512 - Vulnerability Details

- InfusedWoo Pro <= 5.1.2 - Unauthenticated Missing Authorization to Arbitrary Post Deletion via Multiple Parameters

Description

The InfusedWoo Pro plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, products, or orders, mass-delete all comments on any post, and change any post's status.

Published: 2026-05-14

Score: 9.1 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The InfusedWoo Pro plugin for WordPress contains an authorization bypass that allows any unauthenticated user to delete or modify content. The plugin does not verify user permissions before performing delete actions, enabling permanent removal of posts, pages, products, and orders, mass deletion of comments, and status changes. This flaw can lead to irreversible data loss and disrupt website operations.

Affected Systems

WordPress sites running Infused Addons' InfusedWoo Pro plugin, versions up to and including 5.1.2. The vulnerability impacts any installation that has the plugin enabled, regardless of the WordPress site size or traffic level.

Risk and Exploitability

The flaw carries a CVSS score of 9.1, indicating severe risk, but its EPSS score is not available, leaving the exploitation probability uncertain. The vulnerability is not listed in the CISA KEV catalog. The lack of authentication checks makes it possible for attackers to exploit the issue using crafted HTTP requests or URL parameters, originating from any unauthenticated source. Based on the description, it is inferred that the attack vector is remote and relies on these crafted requests or parameters, allowing an external adversary to delete content without credentials.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Infused Addons

InfusedWoo Pro

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.1.2

No data.

Vendor Product Confidence Versions

Infused Addons

Infusedwoo Pro

100%

Version	Status	Scheme	Platform
`[0,5.1.2]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade InfusedWoo Pro to the latest version, which includes the missing authorization checks.
If an update cannot be performed, disable or uninstall the plugin to eliminate the deletion vector.
Implement strict role-based controls or use a security plugin to ensure only authorized users can delete content, thereby adding a secondary layer of protection.

Generated by OpenCVE AI on May 14, 2026 at 10:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00093.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://downloads.infusedwoo.com/updater/iw5.php?changelog
https://www.wordfence.com/threat-intel/vulnerabilities/id/f624c9a0-b48f-49f5-ba63-276805904945?source=cve

History

Thu, 14 May 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Infused Addons Infused Addons infusedwoo Pro Wordpress Wordpress wordpress
Vendors & Products		Infused Addons Infused Addons infusedwoo Pro Wordpress Wordpress wordpress

Thu, 14 May 2026 11:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Thu, 14 May 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		The InfusedWoo Pro plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, products, or orders, mass-delete all comments on any post, and change any post's status.
Title		InfusedWoo Pro <= 5.1.2 - Unauthenticated Missing Authorization to Arbitrary Post Deletion via Multiple Parameters
Weaknesses		CWE-862
References		https://downloads.infusedwoo.com/updater/iw5.php?changelog https://www.wordfence.com/threat-intel/vulnerabilities/id/f624c9a0-b48f-49f5-ba63-276805904945?source=cve
Metrics		cvssV3_1 `{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Infused Addons Infusedwoo Pro

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-05-14T08:24:28.204Z

Updated: 2026-05-14T10:41:58.262Z

Reserved: 2026-04-17T13:04:07.227Z

Link: CVE-2026-6512

Vulnrichment

Updated: 2026-05-14T10:41:52.990Z

NVD

Status : Deferred

Published: 2026-05-14T09:16:27.883

Modified: 2026-05-14T14:28:41.283

Link: CVE-2026-6512

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-14T14:32:48Z

Weaknesses

CWE-862

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object