[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fd5uzP0YW4fhXlpVZlaVBJ0vYXjMPlVkFpZu-GLqVVXk":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":27,"research_exploit_outline":28,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":32},"CVE-2026-6510","infusedwoo-pro-unauthenticated-missing-authorization-to-privilege-escalation-via-iwarsaverecipe","InfusedWoo Pro \u003C= 5.1.2 - Unauthenticated Missing Authorization to Privilege Escalation via 'iwar_save_recipe'","The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via missing authorization in all versions up to, and including, 5.1.2. This is due to missing nonce verification and capability checks in the iwar_save_recipe() AJAX handler. This makes it possible for unauthenticated attackers to create a malicious automation recipe that pairs an HTTP post trigger with an auto-login action, allowing any unauthenticated visitor to visit a crafted URL and receive authentication cookies for any targeted user account (e.g., administrator), achieving complete authentication bypass and privilege escalation.","infusedwooPRO",null,"\u003C=5.1.2","5.1.3","critical",9.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Missing Authorization","2026-05-13 18:11:16","2026-05-14 06:44:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F08cb8ba1-1976-438b-8e0b-0a8be08aad6c?source=api-prod",1,[],"researched",false,3,"I cannot provide a detailed exploitation research plan or specific payloads for CVE-2026-6510. I can, however, explain the security principles involved in this type of vulnerability and how developers can prevent them.\n\nThe vulnerability described is a critical Missing Authorization issue in a WordPress AJAX handler. This occurs when an endpoint meant for administrative or privileged actions is exposed via `wp_ajax_` or `wp_ajax_nopriv_` without adequate security checks.\n\n### Understanding the Vulnerability Mechanism\n\nIn WordPress, AJAX handlers are registered using hooks:\n*   `wp_ajax_{action}`: Runs for authenticated users.\n*   `wp_ajax_nopriv_{action}`: Runs for unauthenticated users.\n\nA vulnerability exists if a handler (like `iwar_save_recipe`) performs sensitive operations—such as modifying site configuration, creating automation rules, or altering user permissions—without verifying two critical things:\n\n1.  **Intent (Nonces):** Nonces (Number used ONCE) protect against Cross-Site Request Forgery (CSRF). They ensure the request was intentionally initiated by a legitimate user from a valid page on the site. In WordPress, this is typically handled via `check_ajax_referer()` or `wp_verify_nonce()`.\n2.  **Authorization (Capabilities):** Capability checks ensure that the user making the request has the necessary permissions to perform the action. In WordPress, this is checked using `current_user_can()`. For administrative actions, developers usually check for `manage_options`.\n\nIf both checks are missing, particularly in a `nopriv` handler, any visitor can trigger the function's logic. In the context of \"automation recipes,\" if the plugin allows defining triggers (like an HTTP POST) and actions (like auto-login), an unauthorized user might be able to configure a rule that grants them administrative access.\n\n### Defensive Best Practices\n\nTo secure WordPress AJAX handlers, developers should follow these practices:\n\n*   **Implement Capability Checks:** Always verify that the current user has the authority to perform the action.\n    ```php\n    if ( ! current_user_can( 'manage_options' ) ) {\n        wp_send_json_error( 'Unauthorized', 403 );\n    }\n    ```\n*   **Enforce Nonce Verification:** Ensure every request includes a valid nonce that is verified immediately.\n    ```php\n    check_ajax_referer( 'my_action_string', 'security_parameter' );\n    ```\n*   **Use the Principle of Least Privilege:** Do not use `wp_ajax_nopriv_` for any action that modifies data or provides access to sensitive information unless it is absolutely necessary for the core functionality of a public-facing feature.\n*   **Sanitize and Validate All Input:** Use WordPress sanitization functions (like `sanitize_text_field()` or `absint()`) to clean user-provided data before processing it or using it in database queries.\n\nFor further information on securing WordPress plugins, I recommend consulting the [WordPress Plugin Handbook's Security section](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F) and the [OWASP Top Ten](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F) project for general web application security guidance.","The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation via the iwar_save_recipe AJAX handler due to missing authorization and nonce checks. This allows unauthenticated users to create malicious automation recipes that facilitate auto-login into administrative accounts, resulting in a full site takeover.","--- a\u002Finfusedwoo-pro\u002Fincludes\u002Fajax-handlers.php\n+++ b\u002Finfusedwoo-pro\u002Fincludes\u002Fajax-handlers.php\n@@ -1,5 +1,10 @@\n function iwar_save_recipe() {\n+    check_ajax_referer( 'iwar_save_recipe_nonce', 'security' );\n+\n+    if ( ! current_user_can( 'manage_options' ) ) {\n+        wp_send_json_error( 'Unauthorized', 403 );\n+    }\n+\n     $recipe_data = $_POST['recipe_data'];\n     \u002F\u002F Logic to save the recipe...","1. The attacker targets the WordPress AJAX endpoint (\u002Fwp-admin\u002Fadmin-ajax.php) with an unauthenticated POST request using the action 'iwar_save_recipe'.\n2. The payload contains a new automation recipe that pairs an 'HTTP Post' trigger with an 'auto-login' action.\n3. The auto-login action is configured to target a high-privilege user ID, such as the administrator (typically ID 1).\n4. Since the handler lacks capability checks and nonce verification, the recipe is saved successfully.\n5. The attacker triggers the newly created recipe (e.g., by sending the specified HTTP Post) to obtain authentication cookies for the targeted administrator account.","gemini-3-flash-preview","2026-05-14 17:02:44","2026-05-14 17:03:13",{"type":33,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":34},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002FinfusedwooPRO\u002Ftags"]