CVE-2026-6512: Authorization Bypass in InfusedWoo Pro

The impact of this vulnerability is severe due to the ease of exploitation and the potential for widespread data loss. An attacker can leverage this bypass to permanently delete posts, pages, products, and orders, effectively crippling an e-commerce site. The ability to mass-delete comments on any post can damage a site's reputation and user engagement. Furthermore, attackers can modify post statuses, potentially disrupting content publishing workflows and creating misleading information for users. This vulnerability's simplicity makes it a high-priority target for malicious actors.

1. 予約済み2026-04-17
2. 公開日2026-05-14

The primary mitigation is to immediately upgrade the InfusedWoo Pro plugin to version 5.1.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the plugin's administrative functions. Implement strict user role permissions within WordPress to limit the potential damage an attacker could inflict if they gain unauthorized access. While a WAF cannot directly prevent this authorization bypass, it can help detect and block suspicious requests attempting to exploit it. After upgrading, verify the fix by attempting to access plugin functions without proper authentication; successful access indicates the vulnerability persists.