Executive Summary
A critical authorization bypass vulnerability (CVE-2026-6512) has been disclosed in the InfusedWoo Pro plugin for WordPress. The flaw allows unauthenticated attackers to permanently delete arbitrary data from affected WordPress installations without any credentials or user interaction.
The vulnerability is caused by the plugin failing to verify that a user is authorized to perform deletion actions before executing them. All versions up to and including 5.1.2 are affected. Site operators should update immediately or deactivate the plugin until a patch is available.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-6512 |
| CVSS Score | 9.1 (Critical) |
| CWE | CWE-285 — Improper Authorization |
| Type | Authorization Bypass / Unauthenticated Arbitrary Deletion |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None (unauthenticated) |
| User Interaction | None |
| Scope | Unchanged |
| Confidentiality Impact | None |
| Integrity Impact | High |
| Availability Impact | High |
| Patch Available | Check with plugin vendor |
Affected Versions
| Plugin | Affected Versions | Status |
|---|---|---|
| InfusedWoo Pro | All versions <= 5.1.2 | Patch status — verify with vendor |
About InfusedWoo Pro
InfusedWoo Pro is a WordPress plugin that integrates WooCommerce with Keap (formerly Infusionsoft), a popular CRM platform. The plugin synchronizes customer data, order information, and marketing automation between WooCommerce stores and Keap. It is used by e-commerce businesses to automate follow-up campaigns, tag customers based on purchase behavior, and manage CRM data from within WordPress.
Technical Analysis
Root Cause
The plugin registers one or more WordPress action hooks or REST API endpoints that execute deletion operations but omit proper capability checks before performing them. WordPress provides authorization mechanisms such as current_user_can() and nonce verification — InfusedWoo Pro fails to apply these checks, leaving the deletion endpoints accessible to anyone who can reach the WordPress installation.
Attack Flow
1. Attacker identifies the InfusedWoo Pro plugin is installed (via readme.txt, plugin slug in responses, etc.)
2. Attacker crafts a request to the vulnerable deletion endpoint
- e.g., POST /wp-admin/admin-ajax.php?action=infusedwoo_delete_record
- or: DELETE /wp-json/infusedwoo/v1/records/{id}
3. No authentication token, nonce, or capability check is enforced
4. Application executes the deletion against the target record ID
5. Attacker iterates over record IDs to delete customers, orders, CRM tags, or synced data
6. Deletions are permanent — no recycle bin or undo mechanismScope of Deletable Data
Depending on the plugin's internal data model, attackers may be able to permanently delete:
- WooCommerce customer records synced with Keap
- Order-linked CRM data and customer tags
- Keap contact mappings (breaking CRM sync)
- Plugin configuration records (disrupting integration functionality)
- Arbitrary WordPress post types managed by the plugin
The impact is primarily destructive — this vulnerability is a wiper-class flaw for affected data.
Impact Assessment
| Impact Area | Description |
|---|---|
| Data Destruction | Arbitrary records permanently deleted without authentication |
| Business Disruption | Loss of customer CRM data, order history, and marketing automation |
| CRM Sync Breakage | Keap integration corrupted; customer journey automation interrupted |
| Regulatory Risk | Data destruction may conflict with record-keeping requirements (GDPR Art. 17 is a right to erasure — not a right for attackers) |
| Financial Impact | Loss of order data can disrupt billing, fulfillment, and reporting |
Immediate Remediation
Step 1: Deactivate or Update InfusedWoo Pro
If a patched version is available from the vendor, update immediately. If not, deactivate the plugin until a fix is released:
- Navigate to WordPress Admin > Plugins > Installed Plugins
- Locate InfusedWoo Pro
- Click Deactivate (data is preserved; only functionality is suspended)
Step 2: Verify via WP-CLI
# Check installed version
wp plugin get infusedwoo-pro --field=version
# Deactivate via CLI if needed
wp plugin deactivate infusedwoo-pro
# Check for available updates
wp plugin update --dry-run infusedwoo-proStep 3: Audit Recent Deletion Activity
If the plugin has been active and the site is publicly accessible, audit for signs of exploitation:
# Check WordPress debug log for unexpected delete operations
grep -i "delete\|infusedwoo" /var/www/html/wp-content/debug.log | tail -200
# Check database for recently deleted records (if soft-delete is used)
wp db query "SELECT * FROM wp_posts WHERE post_status = 'trash' AND post_modified > DATE_SUB(NOW(), INTERVAL 7 DAY) ORDER BY post_modified DESC LIMIT 50;"
# Review web server access logs for deletion endpoint hits from unknown IPs
grep -E "infusedwoo|admin-ajax" /var/log/nginx/access.log | grep -E "DELETE|POST" | awk '{print $1, $7, $9}' | sort | uniq -c | sort -rn | head -30Step 4: Restore from Backup if Exploitation Occurred
If data deletion is detected:
# Identify the last clean backup
ls -lt /backups/wordpress/ | head -20
# Restore database from backup (test on staging first)
wp db import /backups/wordpress/db-backup-YYYY-MM-DD.sql
# Verify data integrity post-restore
wp post list --post_type=shop_order --post_status=any --fields=ID,post_status,post_date | head -20Step 5: Block the Vulnerable Endpoint via WAF
While deactivation or patching is in progress:
# Nginx: block requests to InfusedWoo deletion endpoints
location ~* admin-ajax\.php {
if ($request_method = DELETE) {
return 403;
}
# Additional: block known vulnerable action
if ($arg_action ~* "infusedwoo_delete") {
return 403;
}
}Detection Indicators
| Indicator | Description |
|---|---|
| POST/DELETE requests to admin-ajax.php with InfusedWoo actions | Exploitation attempt |
| Spike in 200 responses on deletion endpoints from unauthenticated sources | Active exploitation |
| Sudden loss of customer or order records in WooCommerce | Post-exploitation data loss |
| Broken Keap sync / missing customer tags | CRM data deleted or corrupted |
| Requests iterating numeric IDs in rapid succession | Automated deletion sweep |
Post-Remediation Checklist
- Update or deactivate InfusedWoo Pro immediately
- Audit web logs for deletion endpoint access from unauthenticated sources
- Restore deleted data from the most recent clean backup if exploitation occurred
- Re-sync Keap CRM if integration data was corrupted
- Implement WAF rules to block unauthenticated deletion requests
- Review all active plugin versions for similar missing-authorization patterns
- Enable WordPress activity logging (e.g., WP Activity Log plugin) for ongoing monitoring
- Report to the vendor and monitor for an official patch release