Deze pagina is nog niet vertaald naar uw taal. We werken eraan — de inhoud wordt voorlopig in het Engels weergegeven.
💡 Keep dependencies up to date — most exploits target known, patchable vulnerabilities.
CVE-2026-6510: Privilege Escalation in InfusedWoo Pro
Platform
wordpress
Component
infusedwooPRO
Opgelost in
5.1.3
CVE-2026-6510 represents a critical privilege escalation vulnerability affecting the InfusedWoo Pro plugin for WordPress. This flaw allows unauthenticated attackers to bypass authentication and gain control of user accounts, potentially including administrator privileges. The vulnerability exists in versions up to and including 5.1.2 and has been resolved in version 5.1.3.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Impact en Aanvalsscenarioswordt vertaald…
The impact of CVE-2026-6510 is severe. An unauthenticated attacker can craft a malicious URL that, when visited, grants them authentication cookies for any targeted user account. This effectively bypasses the WordPress authentication mechanism, allowing the attacker to impersonate any user, including administrators. Successful exploitation grants complete control over the WordPress site, enabling data theft, modification, deletion, and the installation of malicious code. This vulnerability shares similarities with other authentication bypass flaws where improper nonce verification and capability checks are exploited to gain unauthorized access.
Uitbuitingscontextwordt vertaald…
CVE-2026-6510 was published on 2026-05-13. The vulnerability's severity is rated CRITICAL (CVSS 9.8). Public proof-of-concept (POC) code is likely to emerge given the ease of exploitation and the high impact. As of this writing, no active campaigns targeting this vulnerability have been publicly reported, but the ease of exploitation makes it a likely target for opportunistic attackers. Monitor security advisories and threat intelligence feeds for updates.
Dreigingsinformatie
Exploit Status
CISA SSVC
CVSS-vector
Wat betekenen deze metrics?
- Attack Vector
- Netwerk — op afstand uitbuitbaar via internet. Geen fysieke of lokale toegang vereist.
- Attack Complexity
- Laag — geen speciale voorwaarden vereist. Betrouwbaar uitbuitbaar.
- Privileges Required
- Geen — geen authenticatie vereist om te exploiteren.
- User Interaction
- Geen — automatische en stille aanval. Slachtoffer doet niets.
- Scope
- Ongewijzigd — impact beperkt tot het kwetsbare component.
- Confidentiality
- Hoog — volledig verlies van vertrouwelijkheid. Aanvaller kan alle gegevens lezen.
- Integrity
- Hoog — aanvaller kan alle gegevens schrijven, aanpassen of verwijderen.
- Availability
- Hoog — volledige crash of uitputting van resources. Totale denial of service.
Getroffen Software
Zwakheidsclassificatie (CWE)
Tijdlijn
- Gereserveerd
- Gepubliceerd
Mitigatie en Workaroundswordt vertaald…
The primary mitigation for CVE-2026-6510 is to immediately upgrade the InfusedWoo Pro plugin to version 5.1.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the iwarsaverecipe() AJAX handler functionality within the plugin (if possible through configuration options). Web Application Firewalls (WAFs) configured to detect and block suspicious HTTP POST requests targeting the iwarsaverecipe() endpoint can provide an additional layer of defense. Monitor WordPress logs for unusual authentication activity or attempts to access the iwarsaverecipe() endpoint from unauthorized IP addresses. After upgrading, confirm the fix by attempting to access the plugin's functionality without proper authentication and verifying that access is denied.
Hoe te verhelpen
Update naar versie 5.1.3, of een nieuwere gepatchte versie
Veelgestelde vragenwordt vertaald…
What is CVE-2026-6510 — Privilege Escalation in InfusedWoo Pro?
CVE-2026-6510 is a critical vulnerability in the InfusedWoo Pro WordPress plugin allowing unauthenticated attackers to bypass authentication and gain control of user accounts, including administrators, via a crafted URL.
Am I affected by CVE-2026-6510 in InfusedWoo Pro?
You are affected if you are using InfusedWoo Pro versions 5.1.2 or earlier. Upgrade to version 5.1.3 to mitigate the risk.
How do I fix CVE-2026-6510 in InfusedWoo Pro?
Upgrade the InfusedWoo Pro plugin to version 5.1.3 or later. If immediate upgrade is not possible, temporarily disable the iwarsaverecipe() AJAX handler functionality or implement WAF rules.
Is CVE-2026-6510 being actively exploited?
While no active campaigns have been publicly reported, the ease of exploitation makes it a likely target for opportunistic attackers. Continuous monitoring is recommended.
Where can I find the official InfusedWoo Pro advisory for CVE-2026-6510?
Refer to the InfusedWoo Pro plugin documentation and website for the official advisory and update information. Check the WordPress plugin repository for the updated version.
Is jouw project getroffen?
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Detecteer deze CVE in je project
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Scan nu uw WordPress project — geen account
Upload een manifest (composer.lock, package-lock.json, WordPress pluginlijst…) of plak uw componentenlijst. U ontvangt direct een kwetsbaarheidsrapport. Een bestand uploaden is slechts het begin: met een account krijgt u continue monitoring, Slack/e-mail alerts, multi-project en white-label rapporten.
Sleep uw afhankelijkheidsbestand hierheen
composer.lock, package-lock.json, requirements.txt, Gemfile.lock, pubspec.lock, Dockerfile...