CVE-2026-6510: Privilege Escalation in InfusedWoo Pro
Platform
wordpress
Component
infusedwooPRO
Fixed in
5.1.3
CVE-2026-6510 represents a critical privilege escalation vulnerability affecting the InfusedWoo Pro plugin for WordPress. This flaw allows unauthenticated attackers to bypass authentication and gain control of user accounts, potentially including administrator privileges. The vulnerability exists in versions up to and including 5.1.2 and has been resolved in version 5.1.3.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Impact and Attack Scenarios
The impact of CVE-2026-6510 is severe. An unauthenticated attacker can craft a malicious URL that, when visited, grants them authentication cookies for any targeted user account. This effectively bypasses the WordPress authentication mechanism, allowing the attacker to impersonate any user, including administrators. Successful exploitation grants complete control over the WordPress site, enabling data theft, modification, deletion, and the installation of malicious code. This vulnerability shares similarities with other authentication bypass flaws where improper nonce verification and capability checks are exploited to gain unauthorized access.
Exploitation Context
CVE-2026-6510 was published on 2026-05-13. The vulnerability's severity is rated CRITICAL (CVSS 9.8). Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation and the high impact. As of this writing, no active campaigns targeting this vulnerability have been publicly reported, but the ease of exploitation makes it a likely target for opportunistic attackers. Monitor security advisories and threat intelligence feeds for updates.
Threat Intelligence
Exploit Status
CISA SSVC
CVSS Vector
What do these metrics mean?
- Attack Vector
- Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
- Attack Complexity
- Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
- Privileges Required
- None — unauthenticated. No login or credentials needed to exploit.
- User Interaction
- None — attack is automatic and silent. Victim does nothing: no click, no file open.
- Scope
- Unchanged — impact is limited to the vulnerable component itself.
- Confidentiality
- High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
- Integrity
- High — attacker can write, modify, or delete any data: databases, config files, or code.
- Availability
- High — complete crash or resource exhaustion. Full denial of service.
Affected Software
Weakness Classification (CWE)
Timeline
- Reserved
- Published
Mitigation and Workarounds
The primary mitigation for CVE-2026-6510 is to immediately upgrade the InfusedWoo Pro plugin to version 5.1.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the iwarsaverecipe() AJAX handler functionality within the plugin (if possible through configuration options). Web Application Firewalls (WAFs) configured to detect and block suspicious HTTP POST requests targeting the iwarsaverecipe() endpoint can provide an additional layer of defense. Monitor WordPress logs for unusual authentication activity or attempts to access the iwarsaverecipe() endpoint from unauthorized IP addresses. After upgrading, confirm the fix by attempting to access the plugin's functionality without proper authentication and verifying that access is denied.
How to fix
Update to version 5.1.3, or a newer patched version
Frequently asked questions
What is CVE-2026-6510 — Privilege Escalation in InfusedWoo Pro?
CVE-2026-6510 is a critical vulnerability in the InfusedWoo Pro WordPress plugin allowing unauthenticated attackers to bypass authentication and gain control of user accounts, including administrators, via a crafted URL.
Am I affected by CVE-2026-6510 in InfusedWoo Pro?
You are affected if you are using InfusedWoo Pro versions 5.1.2 or earlier. Upgrade to version 5.1.3 to mitigate the risk.
How do I fix CVE-2026-6510 in InfusedWoo Pro?
Upgrade the InfusedWoo Pro plugin to version 5.1.3 or later. If immediate upgrade is not possible, temporarily disable the iwarsaverecipe() AJAX handler functionality or implement WAF rules.
Is CVE-2026-6510 being actively exploited?
While no active campaigns have been publicly reported, the ease of exploitation makes it a likely target for opportunistic attackers. Continuous monitoring is recommended.
Where can I find the official InfusedWoo Pro advisory for CVE-2026-6510?
Refer to the InfusedWoo Pro plugin documentation and website for the official advisory and update information. Check the WordPress plugin repository for the updated version.
Is your project affected?
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Detect this CVE in your project
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Scan your WordPress project now — no account
Upload any manifest (composer.lock, package-lock.json, WordPress plugin list…) or paste your component list. You get a vulnerability report instantly. Uploading a file is just the start: with an account you get continuous monitoring, Slack/email alerts, multi-project and white-label reports.
Drag & drop your dependency file
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...