CVE-2026-6510CRITICAL 9.8EPSS p34.9%

CVE-2026-6510CVE-2026-6510

Description

The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and including, 5.1.2. This is due to missing nonce verification and capability checks in the iwar_save_recipe() AJAX handler. This makes it possible for unauthenticated attackers to create a malicious automation recipe that pairs an HTTP post trigger with an auto-login action, allowing any unauthenticated visitor to visit a crafted URL and receive authentication cookies for any targeted user account (e.g., administrator), achieving complete authentication bypass and privilege escalation.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.44% probability of exploitation · percentile 34.9% · 2026-06-19T12:03:05Z
Published2026-05-14
Last modified2026-05-14

Underlying weaknesses· 1

CWE-862

References

  1. https://woo.infusedaddons.com/
  2. https://www.wordfence.com/threat-intel/vulnerabilities/id/08cb8ba1-1976-438b-8e0b-0a8be08aad6c?source=cve

1

TypeTargetConfidenceTier
WeaknessMissing Authorizationcwe-8620%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-6506
CVE
CVE-2026-6512
CVE
CVE-2026-6419
CVE
CVE-2025-6754
CVE
CVE-2026-6963
CVE
CVE-2025-12028
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.