Privilege Escalation Vulnerability in InfusedWoo Pro Plugin by WordPress
CVE-2026-6506

8.8HIGH

Key Information:

Vendor: WordPress
Status: Infusedwoo Pro
Vendor: CVE Published:; 14 May 2026

What is CVE-2026-6506?

The InfusedWoo Pro plugin for WordPress presents a vulnerability that allows authenticated users to escalate their privileges. Specifically, the lack of authorization and capability checks in the infusedwoo_gdpr_upddata() function means that users with subscriber-level access and above can modify their own wp_capabilities user meta. This allows them to grant themselves Administrator role privileges, posing a significant security risk.

Affected Version(s)

InfusedWoo Pro 0 <= 5.1.2

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://drive.google.com/file/d/1QrKLX-GcBiAMKzEI4mZBPO-S...

https://woo.infusedaddons.com/

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 14, 2026
Vulnerability Reserved
Apr 17, 2026

Credit

Osvaldo Noe Gonzalez Del Rio

CVE-2026-6506 Data

JSON