CVE-2026-6512 Overview
CVE-2026-6512 is an authorization bypass vulnerability in the InfusedWoo Pro plugin for WordPress. The flaw affects all versions up to and including 5.1.2. The plugin fails to verify that a user is authorized to perform privileged actions, classified as Missing Authorization [CWE-862].
Unauthenticated attackers can permanently delete arbitrary posts, pages, products, or orders. They can also mass-delete all comments on any post and change the status of any post. The vulnerability is exploitable over the network without user interaction.
Critical Impact
Unauthenticated attackers can destroy WooCommerce store content, including products and orders, on any vulnerable WordPress site.
Affected Products
- InfusedWoo Pro plugin for WordPress, versions through 5.1.2
- WordPress sites running WooCommerce with InfusedWoo Pro installed
- All WooCommerce stores using the InfusedWoo Pro extension
Discovery Timeline
- 2026-05-14 - CVE-2026-6512 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-6512
Vulnerability Analysis
The InfusedWoo Pro plugin exposes administrative actions through endpoints that lack proper authorization checks. The plugin registers AJAX or REST handlers for content management operations but does not validate the requesting user's capabilities or role.
Attackers can invoke deletion and state-change functions by sending crafted HTTP requests directly to the vulnerable endpoints. No authentication cookie, nonce verification, or capability check (current_user_can()) gates the affected actions. The impact spans confidentiality and integrity, with permanent loss of store data including orders and products.
This class of weakness is tracked as Missing Authorization under [CWE-862]. WordPress plugins commonly fall into this pattern when developers rely on UI-level restrictions rather than server-side authorization enforcement.
Root Cause
The root cause is the absence of authorization verification in handlers that perform destructive operations. The plugin code does not call current_user_can() or verify a valid nonce via check_ajax_referer() before executing post deletion, comment deletion, or post status changes.
Attack Vector
An unauthenticated remote attacker sends HTTP POST requests to the vulnerable plugin endpoints, typically admin-ajax.php with the plugin's registered action parameter. The attacker supplies target post IDs, product IDs, or order IDs as request parameters. The plugin executes the destructive operation without verifying the caller's identity or permissions, resulting in permanent data loss across the affected WordPress installation.
Verified exploitation code is not publicly available. Refer to the Wordfence Vulnerability Advisory for additional technical context.
Detection Methods for CVE-2026-6512
Indicators of Compromise
- Unexpected POST requests to /wp-admin/admin-ajax.php referencing InfusedWoo plugin actions from unauthenticated sources
- Missing or trashed WooCommerce products, orders, posts, or pages with no corresponding admin activity in audit logs
- Sudden mass deletion of comments across multiple posts within a short time window
- Unexplained post status transitions (published to draft or trash) without legitimate user action
Detection Strategies
- Review web server access logs for repeated POST requests to admin-ajax.php with InfusedWoo action parameters lacking valid session cookies
- Enable WordPress activity logging plugins to capture post deletions, status changes, and comment removals with associated user context
- Correlate WooCommerce order and product audit trails against authenticated admin sessions to identify orphan deletions
Monitoring Recommendations
- Monitor for anomalous spikes in wp_posts and wp_comments deletion events at the database level
- Alert on requests to plugin-specific AJAX actions originating from unauthenticated IP addresses
- Track changes to post status and ownership attributes through file integrity and database change monitoring
How to Mitigate CVE-2026-6512
Immediate Actions Required
- Update the InfusedWoo Pro plugin to a version newer than 5.1.2 once a patched release is available from the vendor
- Temporarily deactivate the InfusedWoo Pro plugin on all WordPress sites until a fix is verified
- Restore deleted posts, products, orders, or comments from recent backups if unauthorized deletions have occurred
- Audit all WooCommerce store content and database tables for evidence of unauthorized modifications
Patch Information
Review the InfusedWoo Changelog for vendor release notes and patched version information. Confirm patched versions through the Wordfence Vulnerability Advisory before deploying.
Workarounds
- Block unauthenticated requests to admin-ajax.php containing InfusedWoo action parameters at the web application firewall (WAF) layer
- Restrict access to /wp-admin/ paths by source IP address where operationally feasible
- Enforce database-level backups on a frequent schedule to enable rapid recovery from destructive actions
- Remove the plugin entirely from sites that do not require its functionality
# Example WAF rule concept: block unauthenticated InfusedWoo AJAX actions
# Adapt to your WAF syntax (ModSecurity, Cloudflare, etc.)
SecRule REQUEST_URI "@contains /wp-admin/admin-ajax.php" \
"chain,deny,status:403,id:1026512,msg:'CVE-2026-6512 InfusedWoo unauthenticated action'"
SecRule ARGS:action "@rx (?i)infusedwoo" \
"chain"
SecRule &REQUEST_COOKIES:/wordpress_logged_in_/ "@eq 0"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
