A critical privilege escalation vulnerability in the InfusedWoo Pro plugin allows unauthenticated attackers to gain administrative access via a crafted URL.

The vulnerability stems from missing nonce verification and capability checks in the iwar_save_recipe() AJAX handler. An unauthenticated attacker can create a malicious recipe that forces an auto-login action, enabling them to hijack any user account, including administrators.

The CVSS score of 9.8 underscores the severity of this risk. Successful exploitation allows unauthorized users to gain full administrative privileges, leading to complete compromise of the WordPress site, user database exfiltration, and unauthorized content modification.

Immediate Action: Update the InfusedWoo Pro plugin to the latest version immediately to ensure proper authorization checks are implemented.

Proactive Monitoring: Review user account creation logs and audit administrative activity for suspicious logins or unauthorized changes to site configurations.

Compensating Controls: Use a WAF to restrict access to AJAX endpoints and monitor for unusual request patterns targeting the plugin's configuration files.

Public Exploit Available: Unknown

This vulnerability grants attackers full control with minimal effort. It is imperative that administrators update the plugin immediately and audit existing user accounts for any signs of unauthorized account creation or privilege changes.