CVE-2026-6510: Critical Privilege Escalation in InfusedWoo Pro WordPress Plugin
A critical privilege escalation vulnerability, tracked as CVE-2026-6510, has been identified in the InfusedWoo Pro plugin for WordPress, affecting all versions up to and including 5.1.2. The National Vulnerability Database reports this flaw stems from missing nonce verification and capability checks within the iwar_save_recipe() AJAX handler.
This oversight allows unauthenticated attackers to craft and deploy a malicious automation recipe. By pairing an HTTP POST trigger with an auto-login action, an attacker can enable any unauthenticated visitor to a specially crafted URL to receive authentication cookies for any targeted user account, including administrators. This effectively bypasses authentication entirely, leading to full privilege escalation.
Rated with a CVSS score of 9.8 (CRITICAL), this vulnerability represents a severe threat to the integrity and confidentiality of affected WordPress sites. The National Vulnerability Database highlights that the ease of exploitation (network-adjacent, low attack complexity, no privileges required, no user interaction required) makes this a prime target for opportunistic attackers.
What This Means For You
- If your organization uses the InfusedWoo Pro plugin on any WordPress installation, you are exposed. This isn't just a minor bug; it's a direct path to full site compromise. Unauthenticated attackers can become an administrator with minimal effort. Prioritize patching this immediately. If a patch isn't available, disable the plugin or implement strong WAF rules to block access to the vulnerable AJAX handler.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-6510: InfusedWoo Pro Unauthenticated Privilege Escalation via AJAX Handler
title: CVE-2026-6510: InfusedWoo Pro Unauthenticated Privilege Escalation via AJAX Handler
id: scw-2026-05-14-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2026-6510 by targeting the iwar_save_recipe() AJAX handler in InfusedWoo Pro. This rule looks for POST requests to '/wp-admin/admin-ajax.php' with the 'action' parameter set to 'iwar_save_recipe', indicating a potential attempt to create a malicious automation recipe for privilege escalation.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-6510/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/wp-admin/admin-ajax.php'
cs-method:
- 'POST'
cs-uri-query|contains:
- 'action=iwar_save_recipe'
selection_base:
sc-status:
- 200
condition: selection AND selection_base
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-6510 | Privilege Escalation | InfusedWoo Pro plugin for WordPress versions <= 5.1.2 |
| CVE-2026-6510 | Auth Bypass | InfusedWoo Pro plugin for WordPress versions <= 5.1.2 |
| CVE-2026-6510 | iwar_save_recipe() AJAX handler in InfusedWoo Pro plugin | |
| CVE-2026-6510 | Authentication Bypass | Unauthenticated attackers can create malicious automation recipe with HTTP post trigger and auto-login action |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 14, 2026 at 10:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-6670 — Path Traversal
CVE-2026-6670 — The Media Sync plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.9 via the 'sub_dir' and...
InfusedWoo Pro Plugin Privilege Escalation (CVE-2026-6506)
CVE-2026-6506 — The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.1.2. This is due to...
CVE-2026-6271: WordPress Career Section Plugin RCE via File Upload
CVE-2026-6271 — The Career Section plugin for WordPress is vulnerable to Arbitrary File Upload in all versions up to, and including, 1.7 via the CV...