CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
What the vulnerability does
The InfusedWoo Pro plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.1.2. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to permanently delete arbitrary posts, pages, products, or orders, mass-delete all comments on any post, and change any post's status.
Explanation of Vulnerability in Simple Terms
InfusedWoo Pro versions up to 5.1.2 lack proper authorization checks, allowing unauthenticated attackers to read and modify sensitive data without logging in. The vulnerability affects all versions from 0 to 5.1.2. No authentication or user interaction is required to exploit this flaw. Site administrators should update to a version newer than 5.1.2 immediately.
What an attacker can do
Read and modify sensitive data on the site without logging in.
Potential impact on your site
Attackers can access and alter critical site data, including customer information and orders, without any credentials.
Conditions required to exploit
Network access only; no authentication or user interaction required.
Key dates
External resources
Related vulnerabilities
