VYPR
← All advisories
Critical severity9.8NVD Advisory· Published May 14, 2026· Updated May 14, 2026

CVE-2026-6510

CVE-2026-6510

Description

The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and including, 5.1.2. This is due to missing nonce verification and capability checks in the iwar_save_recipe() AJAX handler. This makes it possible for unauthenticated attackers to create a malicious automation recipe that pairs an HTTP post trigger with an auto-login action, allowing any unauthenticated visitor to visit a crafted URL and receive authentication cookies for any targeted user account (e.g., administrator), achieving complete authentication bypass and privilege escalation.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

InfusedWoo Pro plugin for WordPress ≤5.1.2 allows unauthenticated attackers to create malicious automation recipes, enabling authentication bypass and privilege escalation to admin.

Vulnerability

The vulnerability resides in the iwar_save_recipe() AJAX handler of the InfusedWoo Pro plugin for WordPress. Missing nonce verification and capability checks allow unauthenticated attackers to create automation recipes. All versions up to and including 5.1.2 are affected [1].

Exploitation

An unauthenticated attacker can send a crafted AJAX request to iwar_save_recipe() to create a malicious automation recipe that pairs an HTTP post trigger with an auto-login action. Subsequently, any unauthenticated visitor who accesses a crafted URL will receive authentication cookies for a targeted user account (e.g., administrator). No prior authentication or user interaction is required [1].

Impact

Successful exploitation results in complete authentication bypass and privilege escalation. An attacker can gain administrator-level access to the WordPress site, leading to full site compromise, data theft, and potential further attacks [1].

Mitigation

As of the publication date, no patch has been released. Users should disable the InfusedWoo Pro plugin or restrict access to the vulnerable AJAX handler until a fix is available. No official workaround has been provided [1].

References
  1. InfusedWoo — Keap WooCommerce Integration Plugin (formerly Infusionsoft)

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

2

News mentions

0

No linked articles in our index yet.