An authorization bypass flaw in the InfusedWoo Pro plugin for WordPress enables unauthenticated attackers to delete posts, pages, and orders, or modify site status.

The plugin fails to perform adequate authorization checks on critical administrative functions. This allows unauthenticated attackers to trigger destructive actions, including mass-deletion of comments and modification of post statuses.

This vulnerability carries a CVSS score of 9.1, reflecting its potential for severe operational disruption. Successful exploitation could lead to significant data loss, destruction of e-commerce records, and long-term reputational damage to the affected business entity.

Immediate Action: Update the InfusedWoo Pro plugin to the latest version immediately.

Proactive Monitoring: Regularly audit site content and database logs to identify unauthorized modifications or deletions of critical business records.

Compensating Controls: Restrict access to administrative endpoints via a WAF or IP-based allowlisting if an immediate update is not feasible.

Public Exploit Available: Unknown

The severity of this vulnerability necessitates prompt action to prevent potential site defacement or data destruction. All administrators should prioritize updating the InfusedWoo Pro plugin to the latest version to restore proper authorization controls.