CVE-2026-6506: Privilege Escalation in InfusedWoo Pro

The impact of this vulnerability is significant. Successful exploitation allows an attacker to bypass standard access controls and assume the role of an administrator. This grants them complete control over the WordPress site, including the ability to modify content, install malicious plugins, access sensitive data (user information, financial details if stored on the site), and potentially compromise the entire server. The attacker could also use this access to launch further attacks against other systems connected to the WordPress site, expanding the blast radius. This vulnerability is particularly concerning given the widespread use of WordPress and the potential for significant data breaches and service disruption.

1. 予約済み2026-04-17
2. 公開日2026-05-14

The primary mitigation is to immediately upgrade the InfusedWoo Pro plugin to version 5.1.3 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider implementing temporary workarounds. While no direct workaround exists to prevent privilege escalation, restricting access to the infusedwoogdprupddata() function through custom code or a security plugin might offer limited protection, but is not recommended as a primary defense. Closely monitor WordPress user accounts for any suspicious activity, particularly new administrator accounts. After upgrading, verify the fix by attempting to escalate a low-privilege user's role to administrator using the vulnerable function; the attempt should fail.