CVE-2026-6510: Privilege Escalation in InfusedWoo Pro

The impact of CVE-2026-6510 is severe. An unauthenticated attacker can craft a malicious URL that, when visited, grants them authentication cookies for any targeted user account. This effectively bypasses the WordPress authentication mechanism, allowing the attacker to impersonate any user, including administrators. Successful exploitation grants complete control over the WordPress site, enabling data theft, modification, deletion, and the installation of malicious code. This vulnerability shares similarities with other authentication bypass flaws where improper nonce verification and capability checks are exploited to gain unauthorized access.

1. Reservado2026-04-17
2. Publicada2026-05-14

The primary mitigation for CVE-2026-6510 is to immediately upgrade the InfusedWoo Pro plugin to version 5.1.3 or later. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the iwarsaverecipe() AJAX handler functionality within the plugin (if possible through configuration options). Web Application Firewalls (WAFs) configured to detect and block suspicious HTTP POST requests targeting the iwarsaverecipe() endpoint can provide an additional layer of defense. Monitor WordPress logs for unusual authentication activity or attempts to access the iwarsaverecipe() endpoint from unauthorized IP addresses. After upgrading, confirm the fix by attempting to access the plugin's functionality without proper authentication and verifying that access is denied.