https://feed.craftedsignal.io/products/infusedwoo-pro-plugin--5.1.2/Trending threats, MITRE ATT&CK coverage, and detection metadata. Fed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioThu, 14 May 2026 07:18:17 +0000https://feed.craftedsignal.io/briefs/2026-05-cve-2026-6506-wordpress-privesc/Thu, 14 May 2026 07:18:17 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-6506-wordpress-privesc/The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in versions up to 5.1.2 due to missing authorization checks in the infusedwoo_gdpr_upddata() function, allowing authenticated attackers to grant themselves administrator privileges.The InfusedWoo Pro plugin, a WordPress extension, contains a privilege escalation vulnerability, identified as CVE-2026-6506, in all versions up to and including 5.1.2. The vulnerability lies within the infusedwoo_gdpr_upddata() function, which lacks proper authorization and capability checks. Furthermore, there are no restrictions on which user meta keys can be updated. An attacker with a valid WordPress account (subscriber level or higher) can exploit this flaw to modify their wp_capabilities user meta, effectively granting themselves administrator-level privileges. This can lead to complete compromise of the WordPress site.

Attack Chain

1. An attacker obtains a valid user account on the WordPress site, with at least subscriber-level access.
2. The attacker crafts a malicious HTTP request targeting the infusedwoo_gdpr_upddata() function.
3. The request includes a payload designed to modify the attacker’s wp_capabilities user meta field.
4. Due to the missing authorization and capability checks, the infusedwoo_gdpr_upddata() function processes the request without validation.
5. The attacker’s wp_capabilities user meta is updated to include administrator privileges.
6. The attacker logs out and logs back in to the WordPress site.
7. Upon re-authentication, the attacker is now recognized as an administrator.
8. The attacker leverages their newly acquired administrator privileges to perform malicious actions, such as installing backdoors, modifying website content, or exfiltrating sensitive data.

Impact

Successful exploitation of this vulnerability allows attackers to gain complete control over the affected WordPress website. This can lead to data breaches, website defacement, installation of malware, and other malicious activities. Given the popularity of WordPress and the potential for widespread use of the InfusedWoo Pro plugin, a significant number of websites could be at risk.

Recommendation

• Upgrade the InfusedWoo Pro plugin to a version greater than 5.1.2 to patch CVE-2026-6506.
• Deploy the Sigma rule provided below to detect attempts to modify wp_capabilities user meta via the infusedwoo_gdpr_upddata() function.
• Review WordPress user roles and permissions to ensure least privilege.

]]>highadvisoryprivilege-escalationwordpresspluginhttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-6510-privesc/Thu, 14 May 2026 07:17:18 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-05-cve-2026-6510-privesc/The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation due to missing nonce verification and capability checks in the iwar_save_recipe() AJAX handler, allowing unauthenticated attackers to create malicious automation recipes for auto-login actions.The InfusedWoo Pro plugin for WordPress, in versions up to and including 5.1.2, is vulnerable to a critical privilege escalation flaw, tracked as CVE-2026-6510. This vulnerability stems from a lack of proper authorization checks within the iwar_save_recipe() AJAX handler. Specifically, missing nonce verification and capability checks allow unauthenticated attackers to craft malicious automation recipes. This means an attacker can create a recipe that, when triggered by an HTTP POST request to a crafted URL, automatically logs in a targeted user, including administrators, without any authentication. This vulnerability poses a severe threat to WordPress sites using the affected plugin, as it allows complete authentication bypass and full administrative control.

Attack Chain

1. An unauthenticated attacker identifies a WordPress site using a vulnerable version of the InfusedWoo Pro plugin (<= 5.1.2).
2. The attacker crafts a malicious automation recipe designed to exploit the iwar_save_recipe() AJAX handler. This recipe pairs an HTTP POST trigger with an auto-login action.
3. The attacker sends a POST request to the /wp-admin/admin-ajax.php endpoint, calling the iwar_save_recipe action with the malicious recipe data. This bypasses authentication checks due to missing nonce verification and capability checks.
4. The vulnerable iwar_save_recipe() function saves the malicious recipe without proper authorization.
5. The attacker crafts a special crafted URL that triggers the HTTP POST trigger defined in the malicious recipe.
6. When a user (or the attacker) visits the crafted URL, the auto-login action is executed via the malicious recipe.
7. The server generates authentication cookies for the targeted user account (e.g., administrator).
8. The attacker uses the newly acquired authentication cookies to gain complete administrative access to the WordPress site, bypassing normal authentication mechanisms.

Impact

Successful exploitation of CVE-2026-6510 allows unauthenticated attackers to gain complete administrative control over affected WordPress sites. This can lead to website defacement, data theft, malware injection, and complete compromise of the underlying server. The vulnerability allows attackers to escalate privileges to the highest level, bypassing all authentication mechanisms, therefore making this a critical issue.

Recommendation

• Apply the latest update for the InfusedWoo Pro plugin to patch CVE-2026-6510.
• Deploy the Sigma rule “Detect CVE-2026-6510 iwar_save_recipe AJAX Call” to monitor for exploitation attempts.
• Monitor web server logs for POST requests to /wp-admin/admin-ajax.php with the action=iwar_save_recipe parameter, as this is the entry point for the attack.

]]>criticaladvisoryprivilege-escalationinitial-accesswordpress