CVE-2026-6510 Overview
CVE-2026-6510 is a missing authorization vulnerability [CWE-862] in the InfusedWoo Pro plugin for WordPress affecting all versions up to and including 5.1.2. The flaw resides in the iwar_save_recipe() AJAX handler, which lacks both nonce verification and capability checks. Unauthenticated attackers can create a malicious automation recipe that pairs an HTTP post trigger with an auto-login action. Any visitor can then request a crafted URL and receive authentication cookies for any targeted user account, including administrators. The result is complete authentication bypass and full privilege escalation on affected WordPress sites.
Critical Impact
Unauthenticated attackers can obtain administrator authentication cookies and take over the WordPress site without any user interaction.
Affected Products
- InfusedWoo Pro plugin for WordPress, all versions through 5.1.2
- WordPress sites running the vulnerable plugin with WooCommerce
- Hosting environments exposing the WordPress admin-ajax.php endpoint to the internet
Discovery Timeline
- 2026-05-14 - CVE-2026-6510 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-6510
Vulnerability Analysis
The vulnerability is a missing authorization flaw [CWE-862] in the InfusedWoo Pro automation engine. The plugin exposes the iwar_save_recipe() function as an AJAX handler intended to let administrators define automation recipes that bind triggers to actions. The handler does not call check_ajax_referer() for nonce validation, nor does it verify the calling user's capabilities with current_user_can(). Because WordPress registers AJAX actions for both authenticated (wp_ajax_) and unauthenticated (wp_ajax_nopriv_) hooks, the unprotected endpoint accepts requests from any visitor. Attackers can persist arbitrary automation recipes into the site database and trigger them through public-facing URLs.
Root Cause
The root cause is the absence of two standard WordPress security primitives in the iwar_save_recipe() handler: nonce verification to prevent forged requests, and capability checks to restrict the action to privileged users. Without these controls, the handler trusts all request input and writes attacker-controlled recipes to plugin storage.
Attack Vector
An unauthenticated attacker sends a crafted POST request to the plugin's AJAX endpoint to create an automation recipe. The recipe pairs an HTTP post trigger, which fires when a specific public URL is requested, with the plugin's auto-login action, which issues WordPress authentication cookies for a chosen user ID. The attacker then visits the trigger URL with an unauthenticated browser and receives valid session cookies for an administrator account. No code examples are published; refer to the Wordfence Vulnerability Analysis for additional technical detail.
Detection Methods for CVE-2026-6510
Indicators of Compromise
- POST requests to /wp-admin/admin-ajax.php with action=iwar_save_recipe originating from unauthenticated sessions or unexpected IP addresses
- New or unexpected InfusedWoo automation recipes referencing auto-login actions or HTTP post triggers
- Authentication cookies issued for administrator accounts without a corresponding wp-login.php event
- Unexpected administrator-level activity in WordPress audit logs following anonymous HTTP requests
Detection Strategies
- Inspect web server access logs for unauthenticated requests targeting admin-ajax.php with the iwar_save_recipe action parameter
- Query the WordPress database for plugin recipe records that combine HTTP post triggers with auto-login actions and correlate creation times against authenticated admin sessions
- Alert on issuance of wordpress_logged_in_* cookies that are not preceded by a successful wp-login.php POST
Monitoring Recommendations
- Enable WordPress audit logging to capture user logins, plugin option changes, and recipe creation events
- Forward web server, WordPress, and WAF logs to a centralized analytics platform for correlation across the authentication chain
- Monitor for sudden role or capability changes on existing accounts that follow anonymous traffic to plugin endpoints
How to Mitigate CVE-2026-6510
Immediate Actions Required
- Update InfusedWoo Pro to a version newer than 5.1.2 as soon as the vendor releases a patched build; consult the Infused Addons Resource for release information
- Deactivate and remove the InfusedWoo Pro plugin if a patched version is not yet available
- Rotate passwords and invalidate active sessions for all administrator and privileged accounts on affected sites
- Audit existing automation recipes and delete any that were not created by an authorized administrator
Patch Information
At the time of NVD publication on 2026-05-14, all versions up to and including 5.1.2 are affected. Review the Wordfence Vulnerability Analysis and the vendor site for the fixed release version.
Workarounds
- Block unauthenticated POST requests to admin-ajax.php that include action=iwar_save_recipe at the web application firewall or reverse proxy
- Restrict access to /wp-admin/ paths by source IP where business requirements allow
- Enforce multi-factor authentication on all administrator accounts to limit the impact of stolen session cookies
# Example WAF rule (ModSecurity) to block the vulnerable AJAX action
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
"chain,phase:2,deny,status:403,id:1026510,msg:'Block InfusedWoo iwar_save_recipe (CVE-2026-6510)'"
SecRule ARGS:action "@streq iwar_save_recipe" "t:lowercase"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
