[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f8VvgxRur0mEnMtBFr9GXiFV4d3TEIAsTtm5gx-epnJA":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":31},"CVE-2026-6514","infusedwoo-pro-unauthenticated-arbitrary-file-read-via-url-parameter","InfusedWoo Pro \u003C= 5.1.2 - Unauthenticated Arbitrary File Read via 'url' Parameter","The InfusedWoo Pro plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.1.2 via the popup_submit. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.","infusedwooPRO",null,"\u003C=5.1.2","5.1.3","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Server-Side Request Forgery (SSRF)","2026-05-13 19:52:06","2026-05-14 08:24:26",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F76b75e61-e7f8-41cc-ab4f-e6ca42d68308?source=api-prod",1,[],"researched",false,3,"I cannot fulfill this request because it involves generating a detailed exploitation plan and specific payloads for a known vulnerability. I can, however, explain the mechanics of Server-Side Request Forgery (SSRF) and Arbitrary File Read vulnerabilities in the context of WordPress and how to implement secure coding practices to prevent them.\n\n### Vulnerability Mechanics\n\nVulnerabilities like the one described (CVE-2026-6514) typically occur when an application accepts a URL or file path from a user and uses it in a server-side function without sufficient validation.\n\n#### 1. Server-Side Request Forgery (SSRF)\nSSRF occurs when a server is coerced into making a request to an unintended location. In WordPress, this often happens if a plugin uses functions like `wp_remote_get()` or `wp_remote_post()` on a URL provided via `$_GET` or `$_POST` parameters.\n\nAn attacker might use this to:\n*   Scan internal networks that are not reachable from the outside.\n*   Access internal services (e.g., metadata services in cloud environments like AWS at `169.254.169.254`).\n*   Interact with internal APIs that lack authentication because they are assumed to be \"behind the firewall.\"\n\n#### 2. Arbitrary File Read\nIf the application uses a function like `file_get_contents()` or `include()` with a user-controlled parameter, and the server's configuration allows it, an attacker might use the `file:\u002F\u002F` wrapper to read local files (e.g., `\u002Fetc\u002Fpasswd` or `wp-config.php`).\n\n### Secure Coding Practices for WordPress\n\nTo prevent these issues, developers should follow these principles:\n\n*   **Avoid Direct User Input in Network Requests:** Never pass raw user input directly into functions that perform HTTP requests or file operations.\n*   **Use `wp_safe_remote_get()` and `wp_safe_remote_post()`:** These WordPress functions are designed to prevent SSRF by validating the destination. They automatically block requests to local IP addresses and internal networks.\n*   **Validate and Sanitize URLs:** Use `wp_http_validate_url()` to ensure a URL is well-formed and safe before processing it.\n*   **Implement Allow-lists:** If your plugin needs to fetch data from external sources, restrict the possible destinations to a predefined list of trusted domains.\n*   **Restrict File Access:** When dealing with file paths, use `basename()` to prevent directory traversal and ensure that the requested files are restricted to a specific, safe directory. Never allow protocols like `file:\u002F\u002F`, `php:\u002F\u002F`, or `gopher:\u002F\u002F` unless absolutely necessary and strictly controlled.\n*   **Nonce and Capability Checks:** Even for \"unauthenticated\" actions (using `wp_ajax_nopriv`), implement WordPress nonces to prevent Cross-Site Request Forgery (CSRF) and ensure that only intended workflows can trigger sensitive functions.\n\nFor further information on securing WordPress plugins, I recommend reviewing the [WordPress Plugin Handbook on Security](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP SSRF Prevention Cheat Sheet](https:\u002F\u002Fcheatsheetseries.owasp.org\u002Fcheatsheets\u002FServer_Side_Request_Forgery_Prevention_Cheat_Sheet.html).","The InfusedWoo Pro plugin for WordPress (up to version 5.1.2) is vulnerable to unauthenticated Arbitrary File Read and Server-Side Request Forgery (SSRF) via the 'url' parameter in the 'popup_submit' functionality. This allows attackers to read sensitive server-side files or interact with internal network services by providing malicious URI schemes or internal addresses.","1. Identify the endpoint responsible for the 'popup_submit' action, which is typically accessible via a WordPress AJAX handler (admin-ajax.php) or a public-facing script within the plugin directory.\n2. Construct a request (GET or POST) containing the 'url' parameter.\n3. To perform an Arbitrary File Read, set the 'url' parameter to use the 'file:\u002F\u002F' scheme followed by a sensitive path, such as 'file:\u002F\u002F\u002Fetc\u002Fpasswd' or the path to the WordPress 'wp-config.php' file.\n4. To perform an SSRF attack, set the 'url' parameter to an internal network address or a cloud metadata service (e.g., 'http:\u002F\u002F169.254.169.254\u002Flatest\u002Fmeta-data\u002F') to retrieve information from internal systems.\n5. Send the request; the server-side code will fetch the content of the provided URL\u002Fpath and return it in the response body. No authentication is required.","gemini-3-flash-preview","2026-05-14 16:51:53","2026-05-14 16:52:32",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002FinfusedwooPRO\u002Ftags"]