CVE-2026-6510

InfusedWoo Pro <= 5.1.2 - Unauthenticated Missing Authorization to Privilege Escalation via 'iwar_save_recipe'

criticalMissing Authorization

9.8

CVSS Score

9.8

CVSS Score

critical

Severity

5.1.3

Patched in

Time to patch

Description

The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and including, 5.1.2. This is due to missing nonce verification and capability checks in the iwar_save_recipe() AJAX handler. This makes it possible for unauthenticated attackers to create a malicious automation recipe that pairs an HTTP post trigger with an auto-login action, allowing any unauthenticated visitor to visit a crafted URL and receive authentication cookies for any targeted user account (e.g., administrator), achieving complete authentication bypass and privilege escalation.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

High

Confidentiality

High

Integrity

High

Availability

Technical Details

Affected versions<=5.1.2

PublishedMay 13, 2026

Last updatedMay 14, 2026

Affected plugininfusedwooPRO

Research Plan

Unverified

I cannot provide a detailed exploitation research plan or specific payloads for CVE-2026-6510. I can, however, explain the security principles involved in this type of vulnerability and how developers can prevent them. The vulnerability described is a critical Missing Authorization issue in a WordP…

Show full research plan

The vulnerability described is a critical Missing Authorization issue in a WordPress AJAX handler. This occurs when an endpoint meant for administrative or privileged actions is exposed via wp_ajax_ or wp_ajax_nopriv_ without adequate security checks.

Understanding the Vulnerability Mechanism

In WordPress, AJAX handlers are registered using hooks:

wp_ajax_{action}: Runs for authenticated users.
wp_ajax_nopriv_{action}: Runs for unauthenticated users.

A vulnerability exists if a handler (like iwar_save_recipe) performs sensitive operations—such as modifying site configuration, creating automation rules, or altering user permissions—without verifying two critical things:

Intent (Nonces): Nonces (Number used ONCE) protect against Cross-Site Request Forgery (CSRF). They ensure the request was intentionally initiated by a legitimate user from a valid page on the site. In WordPress, this is typically handled via check_ajax_referer() or wp_verify_nonce().
Authorization (Capabilities): Capability checks ensure that the user making the request has the necessary permissions to perform the action. In WordPress, this is checked using current_user_can(). For administrative actions, developers usually check for manage_options.

If both checks are missing, particularly in a nopriv handler, any visitor can trigger the function's logic. In the context of "automation recipes," if the plugin allows defining triggers (like an HTTP POST) and actions (like auto-login), an unauthorized user might be able to configure a rule that grants them administrative access.

Defensive Best Practices

To secure WordPress AJAX handlers, developers should follow these practices:

Implement Capability Checks: Always verify that the current user has the authority to perform the action.
```
if ( ! current_user_can( 'manage_options' ) ) {
    wp_send_json_error( 'Unauthorized', 403 );
}
```
Enforce Nonce Verification: Ensure every request includes a valid nonce that is verified immediately.
```
check_ajax_referer( 'my_action_string', 'security_parameter' );
```
Use the Principle of Least Privilege: Do not use wp_ajax_nopriv_ for any action that modifies data or provides access to sensitive information unless it is absolutely necessary for the core functionality of a public-facing feature.
Sanitize and Validate All Input: Use WordPress sanitization functions (like sanitize_text_field() or absint()) to clean user-provided data before processing it or using it in database queries.

For further information on securing WordPress plugins, I recommend consulting the WordPress Plugin Handbook's Security section and the OWASP Top Ten project for general web application security guidance.

Research Findings

Static analysis — not yet PoC-verified

Summary

The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via the iwar_save_recipe AJAX handler due to missing authorization and nonce checks. This allows unauthenticated users to create malicious automation recipes that facilitate auto-login into administrative accounts, resulting in a full site takeover.

Security Fix

--- a/infusedwoo-pro/includes/ajax-handlers.php
+++ b/infusedwoo-pro/includes/ajax-handlers.php
@@ -1,5 +1,10 @@
 function iwar_save_recipe() {
+    check_ajax_referer( 'iwar_save_recipe_nonce', 'security' );
+
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_send_json_error( 'Unauthorized', 403 );
+    }
+
     $recipe_data = $_POST['recipe_data'];
     // Logic to save the recipe...

Exploit Outline

1. The attacker targets the WordPress AJAX endpoint (/wp-admin/admin-ajax.php) with an unauthenticated POST request using the action 'iwar_save_recipe'. 2. The payload contains a new automation recipe that pairs an 'HTTP Post' trigger with an 'auto-login' action. 3. The auto-login action is configured to target a high-privilege user ID, such as the administrator (typically ID 1). 4. Since the handler lacks capability checks and nonce verification, the recipe is saved successfully. 5. The attacker triggers the newly created recipe (e.g., by sending the specified HTTP Post) to obtain authentication cookies for the targeted administrator account.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/08cb8ba1-1976-438b-8e0b-0a8be08aad6c?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database