CVE-2026-6506
Infused Addons · InfusedWoo Pro
The InfusedWoo Pro plugin for WordPress contains a missing authorization vulnerability that allows authenticated users to escalate their privileges.
Executive summary
A missing authorization flaw in the InfusedWoo Pro plugin for WordPress enables authenticated attackers to perform unauthorized privilege escalation.
Vulnerability
This is a Missing Authorization (CWE-862) vulnerability that occurs because the plugin fails to perform adequate capability checks, allowing an authenticated user to perform actions outside their assigned privilege level.
Business impact
Successful exploitation allows an attacker to gain elevated administrative privileges, potentially leading to full site compromise, data loss, or the installation of malicious backdoors. The CVSS score of 8.8 (High) reflects the severity of allowing unauthorized privilege escalation within a web application environment.
Remediation
Immediate Action: Update the InfusedWoo Pro plugin to version 5.1.3 or later immediately.
Proactive Monitoring: Audit WordPress user accounts for suspicious additions or modifications to administrative roles that occurred recently.
Compensating Controls: Disable the plugin immediately if an update cannot be applied and verify the site for any unauthorized administrative accounts created during the window of vulnerability.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Privilege escalation vulnerabilities are critical threats to any CMS-based infrastructure. Administrators must update the affected plugin immediately and conduct a thorough audit of all existing user accounts to ensure no unauthorized escalation has already taken place.