Description
The InfusedWoo Pro plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.1.2 via the popup_submit. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Published: 2026-05-14
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The InfusedWoo Pro plugin for WordPress contains a flaw that allows an attacker without authentication to read any file the web server can access through the popup_submit endpoint. The plugin accepts a file path or URL parameter that is not properly validated, enabling a direct read of arbitrary files on the server (CWE‑918). This deficiency can expose configuration files, credentials, or other sensitive data and potentially allow the attacker to understand or manipulate internal services.

Affected Systems

All WordPress sites that have Infused Addons – InfusedWoo Pro installed with a version of 5.1.2 or earlier are affected. Versions newer than 5.1.2 are not listed as vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity; the EPSS score is not available and the vulnerability is not listed on the CISA KEV catalog, suggesting no confirmed exploits yet. The likely attack vector is a straightforward HTTP request to the popup_submit action carrying a crafted file path parameter. No authentication or additional conditions are required beyond the presence of the vulnerable plugin, so the impact is broad and the exploitation cost low.

Generated by OpenCVE AI on May 14, 2026 at 11:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update InfusedWoo Pro to any version newer than 5.1.2 provided by Infused Addons
  • Disable or restrict the popup_submit functionality so that no arbitrary file path can be supplied, or modify the code to enforce a whitelist of safe directories
  • Configure web server or file system permissions so that the web‑server user can only read the directories intended for web content, thereby preventing reads of sensitive internal files

Generated by OpenCVE AI on May 14, 2026 at 11:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Infused Addons
Infused Addons infusedwoo Pro
Wordpress
Wordpress wordpress
Vendors & Products Infused Addons
Infused Addons infusedwoo Pro
Wordpress
Wordpress wordpress

Thu, 14 May 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 09:15:00 +0000

Type Values Removed Values Added
Description The InfusedWoo Pro plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.1.2 via the popup_submit. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.
Title InfusedWoo Pro <= 5.1.2 - Unauthenticated Arbitrary File Read via 'url' Parameter
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Infused Addons Infusedwoo Pro
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-14T10:43:07.489Z

Reserved: 2026-04-17T13:28:36.932Z

Link: CVE-2026-6514

cve-icon Vulnrichment

Updated: 2026-05-14T10:43:02.846Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T09:16:28.023

Modified: 2026-05-14T14:28:41.283

Link: CVE-2026-6514

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T14:32:50Z

Weaknesses