CVE-2026-6510: InfusedWoo Pro WordPress Plugin Privilege Escalation

The InfusedWoo Pro plugin for WordPress, in versions up to and including 5.1.2, is vulnerable to a critical privilege escalation flaw, tracked as CVE-2026-6510. This vulnerability stems from a lack of proper authorization checks within the iwar_save_recipe() AJAX handler. Specifically, missing nonce verification and capability checks allow unauthenticated attackers to craft malicious automation recipes. This means an attacker can create a recipe that, when triggered by an HTTP POST request to a crafted URL, automatically logs in a targeted user, including administrators, without any authentication. This vulnerability poses a severe threat to WordPress sites using the affected plugin, as it allows complete authentication bypass and full administrative control.

Attack Chain

1. An unauthenticated attacker identifies a WordPress site using a vulnerable version of the InfusedWoo Pro plugin (<= 5.1.2).
2. The attacker crafts a malicious automation recipe designed to exploit the iwar_save_recipe() AJAX handler. This recipe pairs an HTTP POST trigger with an auto-login action.
3. The attacker sends a POST request to the /wp-admin/admin-ajax.php endpoint, calling the iwar_save_recipe action with the malicious recipe data. This bypasses authentication checks due to missing nonce verification and capability checks.
4. The vulnerable iwar_save_recipe() function saves the malicious recipe without proper authorization.
5. The attacker crafts a special crafted URL that triggers the HTTP POST trigger defined in the malicious recipe.
6. When a user (or the attacker) visits the crafted URL, the auto-login action is executed via the malicious recipe.
7. The server generates authentication cookies for the targeted user account (e.g., administrator).
8. The attacker uses the newly acquired authentication cookies to gain complete administrative access to the WordPress site, bypassing normal authentication mechanisms.

Impact

Successful exploitation of CVE-2026-6510 allows unauthenticated attackers to gain complete administrative control over affected WordPress sites. This can lead to website defacement, data theft, malware injection, and complete compromise of the underlying server. The vulnerability allows attackers to escalate privileges to the highest level, bypassing all authentication mechanisms, therefore making this a critical issue.

Recommendation

• Apply the latest update for the InfusedWoo Pro plugin to patch CVE-2026-6510.
• Deploy the Sigma rule “Detect CVE-2026-6510 iwar_save_recipe AJAX Call” to monitor for exploitation attempts.
• Monitor web server logs for POST requests to /wp-admin/admin-ajax.php with the action=iwar_save_recipe parameter, as this is the entry point for the attack.