JustAppSec
Back to news

Unauthenticated attackers can mint admin sessions via InfusedWoo Pro AJAX

2 min readPublished 13 May 2026Updated 13 May 2026Source: Wordfence Intelligence
CVE-2026-6510NewsWeb SecurityWordPressAuthentication

TL;DR - InfusedWoo Pro <= 5.1.2: the iwar_save_recipe() AJAX handler has no nonce verification and no capability check. An unauthenticated attacker crafts an automation recipe that pairs an HTTP POST trigger with an auto-login action. A victim visits the crafted URL and receives auth cookies for any targeted account, including an administrator. Update to 5.1.3 or newer immediately.

What happened

InfusedWoo Pro is a WordPress e-commerce automation plugin that connects WooCommerce stores with Infusionsoft/Keap campaigns.

Wordfence published a critical advisory (CVSS 9.8) for CVE-2026-6510. The iwar_save_recipe() AJAX handler is reachable without authentication and performs no capability check and no nonce verification. An attacker sends a crafted POST request to create a malicious automation recipe. That recipe pairs an HTTP POST trigger with an auto-login action. When a victim visits the corresponding crafted URL, the plugin sets authentication cookies for the targeted account - admin accounts included.

No credentials. No session. Just an AJAX endpoint and a missing current_user_can() call.

This is a well-worn pattern in high-severity WordPress CVEs: unauthenticated admin-ajax.php exposure plus absent authorisation turns "workflow automation" into account takeover. For deeper background on this bug class, see our authentication failure research and practical drills in the authorisation testing guide.

Who is impacted

  • WordPress sites running InfusedWoo Pro at any version <= 5.1.2.
  • Sites where unauthenticated visitors can reach WordPress AJAX endpoints - which is the default for most public WordPress installations.
  • Highest risk: stores where an admin session unlocks payment data, order management, PII export, or plugin installation.

What to do now

  • Update immediately per vendor guidance:

    "Remediation: Update to version 5.1.3, or a newer patched version"

  • Inventory every WordPress installation for the plugin slug infusedwooPRO - including staging, dev, and legacy sites you may have forgotten.
  • Assume potential compromise if patching was delayed:
    • Review access logs for request spikes to admin-ajax.php involving iwar_save_recipe actions.
    • Check for unexpected admin logins and newly created or modified automation recipes.
    • Look for unfamiliar admin accounts created after the advisory window.
  • After patching, rotate admin passwords, application passwords, and any API keys or secrets that an admin session could have accessed.
  • If you want to tighten baseline controls around plugin risk more broadly, start with our guide on secure dependency management and add continuous monitoring for privilege changes and authentication anomalies.
Need help?Get in touch.