Vulnerabilities ›

CVE-2026-6506

High

CWE-862 — Weakness Type

                    Published: May 14, 2026                      ·  Modified: May 21, 2026                      ·  Source: NVD                

CVSS v3

8.8

🔗 NVD Official

📄 Description (English)

The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.1.2. This is due to the infusedwoo_gdpr_upddata() function missing authorization and capability checks, as well as lacking restrictions on which user meta keys can be updated. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their own wp_capabilities user meta to grant themselves Administrator role privileges.

🤖 AI Executive Summary

InfusedWoo Pro WordPress plugin versions up to 5.1.2 contain a privilege escalation vulnerability allowing authenticated subscribers to grant themselves administrator privileges by updating user meta capabilities. The vulnerability exists in the infusedwoo_gdpr_upddata() function which lacks proper authorization checks and capability restrictions.

📄 Description (Arabic)

تحتوي إضافة InfusedWoo Pro للإصدارات حتى 5.1.2 على ثغرة تصعيد امتيازات في دالة infusedwoo_gdpr_upddata() التي تفتقر إلى فحوصات التفويض والقدرات. يمكن للمستخدمين المصرح لهم على مستوى المشترك أو أعلى تحديث بيانات wp_capabilities الخاصة بهم لمنح أنفسهم امتيازات دور المسؤول.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 19, 2026 20:51

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

banking telecom energy government healthcare

🎯 MITRE ATT&CK Techniques

T1548.002 T1078.001 T1547.001

⚖️ Saudi Risk Score (AI)

8.0

/ 10.0

🔧 Remediation Steps (English)

Immediately update InfusedWoo Pro plugin to version 5.1.3 or later. If immediate patching is not possible, disable the plugin and remove it from all WordPress installations. Audit user accounts for unauthorized privilege escalation and reset administrator credentials. Implement Web Application Firewall rules to monitor and block suspicious user meta update requests.

🔧 خطوات المعالجة (العربية)

قم بتحديث إضافة InfusedWoo Pro إلى الإصدار 5.1.3 أو أحدث على الفور. إذا لم يكن التحديث الفوري ممكناً، قم بتعطيل الإضافة وإزالتها من جميع تثبيتات WordPress. قم بمراجعة حسابات المستخدمين للتحقق من تصعيد الامتيازات غير المصرح به وإعادة تعيين بيانات اعتماد المسؤول. قم بتنفيذ قواعد جدار الحماية لتطبيقات الويب لمراقبة وحظر طلبات تحديث بيانات المستخدم المريبة.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1.1 5.1.2 5.2.1

🔵 SAMA CSF

AC-2 AC-3 AC-5

🟡 ISO 27001:2022

A.9.1.1 A.9.2.1 A.9.4.3

🔗 References & Sources 3

🔗

https://drive.google.com/file/d/1QrKLX-GcBiAMKzEI4mZBPO-S0_7W6Xv7/view?usp=sharing

security@wordfence.com

🔗

https://woo.infusedaddons.com/

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/6363b693-91b8-41cb-b13a-df6fd...

security@wordfence.com

📊 CVSS Score

8.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.8

CWECWE-862

EPSS0.04%

Exploit No

Patch ✗ No

Published 2026-05-14

Source Feed nvd

🇸🇦 Saudi Risk Score

8.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-862

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-6506

Introduce Yourself

Sign In Required