WordPress InfusedWoo Pro Plugin Vulnerable to Arbitrary File Read (CVE-2026-6514)
The National Vulnerability Database has identified CVE-2026-6514, a critical arbitrary file read vulnerability affecting all versions of the InfusedWoo Pro WordPress plugin up to and including 5.1.2. This flaw, exploitable via the popup_submit function by unauthenticated attackers, allows malicious actors to initiate web requests from the affected application to arbitrary locations. This capability can be leveraged to exfiltrate sensitive data from internal services or even modify internal information.
The CVSS score of 7.5 (HIGH) underscores the severity of this vulnerability. Attackers can exploit this without prior authentication or privileges, making it a prime target for initial access or further lateral movement within a compromised network. The CWE-918 classification highlights the specific nature of the vulnerability as a Server-Side Request Forgery (SSRF) variant, enabling unauthorized access to internal resources.
Defenders must prioritize patching affected WordPress installations immediately. Given the unauthenticated nature of the exploit, any organization using InfusedWoo Pro below version 5.1.3 is at significant risk. A thorough audit of web server logs for suspicious outbound requests originating from the WordPress application is also recommended to detect potential exploitation attempts.
What This Means For You
- If your organization uses the InfusedWoo Pro plugin on WordPress, immediately update to version 5.1.3 or later. If patching is not feasible, audit your web server logs for any unusual outbound requests originating from your WordPress instance that could indicate exploitation of CVE-2026-6514.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
WordPress InfusedWoo Pro Arbitrary File Read - popup_submit - CVE-2026-6514
title: WordPress InfusedWoo Pro Arbitrary File Read - popup_submit - CVE-2026-6514
id: scw-2026-05-14-ai-1
status: experimental
level: high
description: |
Detects attempts to exploit the Arbitrary File Read vulnerability (CVE-2026-6514) in the InfusedWoo Pro WordPress plugin. The vulnerability is triggered via the 'popup_submit' action in the 'admin-ajax.php' endpoint, allowing unauthenticated attackers to read arbitrary files.
author: SCW Feed Engine (AI-generated)
date: 2026-05-14
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-6514/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/wp-admin/admin-ajax.php'
cs-uri-query|contains:
- 'action=popup_submit'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-6514 | Arbitrary File Read | InfusedWoo Pro plugin for WordPress |
| CVE-2026-6514 | Arbitrary File Read | InfusedWoo Pro plugin versions up to, and including, 5.1.2 |
| CVE-2026-6514 | Arbitrary File Read | Vulnerable component: popup_submit |
| CVE-2026-6514 | SSRF | Unauthenticated attackers can make web requests to arbitrary locations originating from the web application |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 14, 2026 at 12:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-2347: Critical Authorization Bypass in Akilli E-Commerce Website
CVE-2026-2347 — Authorization bypass through User-Controlled key vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows Session Hijacking. This issue affects E-Commerce Website:...
CVE-2025-11024: Akilli E-Commerce Blind SQLi Critical Vulnerability
CVE-2025-11024 — Improper neutralization of special elements used in an SQL command ('SQL injection') vulnerability in Akilli Commerce Software Technologies Ltd. Co. E-Commerce Website allows...
CVE-2026-6512: Critical Authorization Bypass in InfusedWoo Pro WordPress Plugin
CVE-2026-6512 — The InfusedWoo Pro plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.2. This is due to...