CVE-2026-6512
CRITICAL · 9.1Real vuln, CRITICAL CVSS, same-day disclosure; unclear in-the-wild exploitation; no PoC evident yet.
What: InfusedWoo Pro WordPress plugin authorization bypass (CWE-862) allowing unauthenticated deletion of posts, pages, products, orders across all versions ≤5.1.2. CVSS 9.1 CRITICAL.
Why it matters: Zero-day with no patch available; NVD listing same day as publication signals rapid disclosure. Unauthenticated arbitrary destruction of site content poses immediate operational risk to WordPress deployments running the plugin. Not yet KEV-listed but CRITICAL severity and public awareness justifies urgent triage.
Where it's seen: Coordinated social amplification across Bluesky (same-day NVD rebroadcasts, security vendor alerts flagging "no patch yet"). Threat intelligence platforms (OffSeq, Hacker Wire) amplifying. No public PoC observed in posts; chatter focuses on defensive posture (disable/restrict plugin).
RISK: CRITICAL — Unauthenticated authorization bypass destroys arbitrary content; no patch; affects production WordPress sites.
Description
The InfusedWoo Pro plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, products, or orders, mass-delete all comments on any post, and change any post's status.
CVSS 3.1 breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N- Attack vector
- Network
- Complexity
- Low
- Privileges required
- None
- User interaction
- None
- Scope
- Unchanged
- Confidentiality
- High
- Integrity
- High
- Availability
- None