PT-2026-40891 · WordPress · Infusedwoo Pro

Published

2026-05-14

Updated

2026-06-19

CVE-2026-6506

CVSS v3.1

8.8

High

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions InfusedWoo Pro versions prior to 5.1.3

Description The InfusedWoo Pro plugin for WordPress contains a flaw allowing authenticated attackers with subscriber-level access or higher to escalate their privileges. The issue stems from the infusedwoo gdpr upddata() function, which lacks proper authorization and capability checks and does not restrict which user meta keys can be modified. Consequently, an attacker can update their own wp capabilities user meta to grant themselves Administrator role privileges.

Recommendations Update the plugin to a version later than 5.1.2. As a temporary workaround, restrict access to the infusedwoo gdpr upddata() function to minimize the risk of exploitation.

Fix

LPE

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2026-6506

Affected Products

Infusedwoo Pro

PT-2026-40891 · WordPress · Infusedwoo Pro

CVE-2026-6506

Weakness Enumeration

Related Identifiers

Affected Products

References · 9