Attack Chain

1. An unauthenticated attacker identifies a WordPress site using the vulnerable InfusedWoo Pro plugin (version <= 5.1.2).
2. The attacker crafts a malicious HTTP request targeting the popup_submit endpoint.
3. The crafted request contains a URL pointing to an internal resource or service.
4. The WordPress server, acting on behalf of the attacker, makes a request to the specified internal URL.
5. The response from the internal resource is returned to the attacker, effectively bypassing access controls.
6. The attacker reads sensitive files or queries internal services, gathering information about the target network.
7. The attacker may potentially leverage the SSRF vulnerability to modify data on internal services.

Impact

Successful exploitation of this vulnerability (CVE-2026-6514) allows an unauthenticated attacker to read arbitrary files and potentially interact with internal services accessible to the WordPress server. This could lead to the exposure of sensitive data, such as configuration files, database credentials, or API keys. It could also enable further attacks, such as privilege escalation or lateral movement within the internal network. The severity of the impact depends on the type and sensitivity of the data and services exposed through the SSRF vulnerability.

Recommendation

• Upgrade the InfusedWoo Pro plugin to a version higher than 5.1.2 to patch CVE-2026-6514.
• Deploy the Sigma rule “Detect CVE-2026-6514 Exploitation — InfusedWoo Pro Arbitrary File Read” to detect exploitation attempts targeting the vulnerable popup_submit endpoint.
• Review webserver logs for unusual requests to popup_submit as described in the Sigma rule, especially those containing suspicious URLs.