Cette page n'a pas encore été traduite dans votre langue. Affichage du contenu en anglais pendant que nous y travaillons.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-6510: Privilege Escalation in InfusedWoo Pro
Plateforme
wordpress
Composant
infusedwooPRO
Corrigé dans
5.1.3
CVE-2026-6510 represents a critical privilege escalation vulnerability affecting the InfusedWoo Pro plugin for WordPress. This flaw allows unauthenticated attackers to bypass authentication and gain control of user accounts, potentially including administrator privileges. The vulnerability exists in versions up to and including 5.1.2 and has been resolved in version 5.1.3.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Impact et Scénarios d'Attaquetraduction en cours…
The impact of CVE-2026-6510 is severe. An unauthenticated attacker can craft a malicious URL that, when visited, grants them authentication cookies for any targeted user account. This effectively bypasses the WordPress authentication mechanism, allowing the attacker to impersonate any user, including administrators. Successful exploitation grants complete control over the WordPress site, enabling data theft, modification, deletion, and the installation of malicious code. This vulnerability shares similarities with other authentication bypass flaws where improper nonce verification and capability checks are exploited to gain unauthorized access.
Contexte d'Exploitationtraduction en cours…
CVE-2026-6510 was published on 2026-05-13. The vulnerability's severity is rated CRITICAL (CVSS 9.8). Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation and the high impact. As of this writing, no active campaigns targeting this vulnerability have been publicly reported, but the ease of exploitation makes it a likely target for opportunistic attackers. Monitor security advisories and threat intelligence feeds for updates.
Renseignement sur les Menaces
Statut de l'Exploit
CISA SSVC
Vecteur CVSS
Que signifient ces métriques?
- Attack Vector
- Réseau — exploitable à distance via internet. Aucun accès physique ou local requis.
- Attack Complexity
- Faible — aucune condition spéciale requise. Exploitable de manière fiable.
- Privileges Required
- Aucun — sans authentification. Aucune identifiant requis pour exploiter.
- User Interaction
- Aucune — attaque automatique et silencieuse. La victime ne fait rien.
- Scope
- Inchangé — impact limité au composant vulnérable.
- Confidentiality
- Élevé — perte totale de confidentialité. L'attaquant peut lire toutes les données.
- Integrity
- Élevé — l'attaquant peut écrire, modifier ou supprimer toutes les données.
- Availability
- Élevé — panne complète ou épuisement des ressources. Déni de service total.
Logiciel Affecté
Classification de Faiblesse (CWE)
Chronologie
- Réservé
- Publiée
Mitigation et Contournementstraduction en cours…
The primary mitigation for CVE-2026-6510 is to immediately upgrade the InfusedWoo Pro plugin to version 5.1.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the iwarsaverecipe() AJAX handler functionality within the plugin (if possible through configuration options). Web Application Firewalls (WAFs) configured to detect and block suspicious HTTP POST requests targeting the iwarsaverecipe() endpoint can provide an additional layer of defense. Monitor WordPress logs for unusual authentication activity or attempts to access the iwarsaverecipe() endpoint from unauthorized IP addresses. After upgrading, confirm the fix by attempting to access the plugin's functionality without proper authentication and verifying that access is denied.
Comment corriger
Mettre à jour vers la version 5.1.3, ou une version corrigée plus récente
Questions fréquentestraduction en cours…
What is CVE-2026-6510 — Privilege Escalation in InfusedWoo Pro?
CVE-2026-6510 is a critical vulnerability in the InfusedWoo Pro WordPress plugin allowing unauthenticated attackers to bypass authentication and gain control of user accounts, including administrators, via a crafted URL.
Am I affected by CVE-2026-6510 in InfusedWoo Pro?
You are affected if you are using InfusedWoo Pro versions 5.1.2 or earlier. Upgrade to version 5.1.3 to mitigate the risk.
How do I fix CVE-2026-6510 in InfusedWoo Pro?
Upgrade the InfusedWoo Pro plugin to version 5.1.3 or later. If immediate upgrade is not possible, temporarily disable the iwarsaverecipe() AJAX handler functionality or implement WAF rules.
Is CVE-2026-6510 being actively exploited?
While no active campaigns have been publicly reported, the ease of exploitation makes it a likely target for opportunistic attackers. Continuous monitoring is recommended.
Where can I find the official InfusedWoo Pro advisory for CVE-2026-6510?
Refer to the InfusedWoo Pro plugin documentation and website for the official advisory and update information. Check the WordPress plugin repository for the updated version.
Ton projet est-il affecté ?
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Détecte cette CVE dans ton projet
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Scannez votre projet WordPress maintenant — sans compte
scanZone.subtitle
Glissez-déposez votre fichier de dépendances
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...