InfusedWoo Pro Plugin Privilege Escalation (CVE-2026-6506)

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityprivilege-escalationcwe-862
InfusedWoo Pro Plugin Privilege Escalation (CVE-2026-6506)

The InfusedWoo Pro plugin for WordPress, in all versions up to and including 5.1.2, is vulnerable to a severe privilege escalation flaw, identified as CVE-2026-6506. The National Vulnerability Database reports this is due to the infusedwoo_gdpr_upddata() function lacking critical authorization and capability checks. Furthermore, it fails to restrict which user meta keys can be updated.

This oversight creates a clear path for authenticated attackers, even those with subscriber-level access, to manipulate their wp_capabilities user meta and grant themselves full Administrator privileges. The National Vulnerability Database assigns this a CVSS score of 8.8 (HIGH), underscoring the critical risk. This isn’t just a theoretical bug; it’s a direct route to complete site compromise.

Defenders running WordPress sites with this plugin must understand the attacker’s calculus here: a low-privileged account is all that’s needed to take over the entire system. This vulnerability isn’t complex to exploit; it leverages a fundamental authorization bypass. Patching is non-negotiable, and a thorough audit for unauthorized privilege changes is essential.

What This Means For You

  • If your WordPress site uses the InfusedWoo Pro plugin, immediately verify your version. If it's 5.1.2 or older, you are exposed. Patch or disable the plugin RIGHT NOW. Audit user logs for any suspicious `wp_capabilities` changes, especially from low-privileged accounts, as this indicates a likely compromise.

Indicators of Compromise

IDTypeIndicator
CVE-2026-6506 Privilege Escalation InfusedWoo Pro plugin for WordPress
CVE-2026-6506 Privilege Escalation InfusedWoo Pro plugin versions <= 5.1.2
CVE-2026-6506 Privilege Escalation Vulnerable function: infusedwoo_gdpr_upddata()
CVE-2026-6506 Privilege Escalation Missing authorization and capability checks
CVE-2026-6506 Privilege Escalation Ability to update wp_capabilities user meta

Written by SCW Vulnerability Desk

🔎
WordPress Vulnerability Intel Use /brief for an analyst-ready weekly threat summary on critical vulnerabilities like this.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 14, 2026 at 10:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-6670 — Path Traversal

CVE-2026-6670 — The Media Sync plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.9 via the 'sub_dir' and...

vulnerabilityCVEmedium-severitypath-traversalcwe-22
/SCW Vulnerability Desk /MEDIUM /6.5 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-6510: Critical Privilege Escalation in InfusedWoo Pro WordPress Plugin

CVE-2026-6510 — The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and including, 5.1.2. This...

vulnerabilityCVEcriticalhigh-severityprivilege-escalationcwe-862
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 4 IOCs /⚙ 2 Sigma

CVE-2026-6271: WordPress Career Section Plugin RCE via File Upload

CVE-2026-6271 — The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7 via the CV...

vulnerabilityCVEcriticalhigh-severityremote-code-executioncwe-434
/SCW Vulnerability Desk /CRITICAL /9.8 /⚑ 3 IOCs /⚙ 3 Sigma