CVE-2026-6506
Severity CVSS v4.0:
Pending analysis
Type:
Unavailable / Other
Publication date:
14/05/2026
Last modified:
14/05/2026
Description
The InfusedWoo Pro plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.1.2. This is due to the infusedwoo_gdpr_upddata() function missing authorization and capability checks, as well as lacking restrictions on which user meta keys can be updated. This makes it possible for authenticated attackers, with subscriber-level access and above, to update their own wp_capabilities user meta to grant themselves Administrator role privileges.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH



