CVE-2026-6506
HIGH · 8.8CVE published today, no PoC/KEV; chatter is pure feed republication without exploitation signal.
What: InfusedWoo Pro WordPress plugin privilege escalation (versions ≤5.1.2) allows authenticated subscribers to escalate to admin via missing authorization checks in the infusedwoo_gdpr_upddata() function. CVSS 8.8 HIGH.
Why it matters: Published today with high CVSS score; affects WordPress sites running vulnerable plugin versions. No KEV listing or public PoC evident yet, but vulnerability is straightforward (missing capability checks on user meta update). Vendors likely preparing patches. Early-stage advisory chatter suggests awareness spreading rapidly among WordPress security practitioners.
Where it's seen: Bluesky and X posts broadcasting NVD entry; Hacker Wire coverage; security accounts amplifying CVSS rating and affected versions. No working exploit code or in-the-wild reports visible yet—primarily feed-driven disclosure noise.
RISK: HIGH — Authenticated privilege escalation affecting WordPress installs; trivial attack surface if plugin deployed.
Description
The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.1.2. This is due to the infusedwoo_gdpr_upddata() function missing authorization and capability checks, as well as lacking restrictions on which user meta keys can be updated. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their own wp_capabilities user meta to grant themselves Administrator role privileges.
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H- Attack vector
- Network
- Complexity
- Low
- Privileges required
- Low
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- High