External risk intelligence

WordPress plugin can let attackers delete customer data or disrupt sales

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-6512

A WordPress plugin called InfusedWoo Pro has a critical flaw allowing anyone to delete products, orders, or other site content without logging in, potentially disrupting sales and causing data loss.

4Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-6512

The vulnerability resides in a WordPress plugin used for e-commerce. Because WordPress sites are typically deployed as public-facing web applications to serve customers, the plugin's functionality and its associated endpoints are exposed to the public internet as part of the normal web server environment.

Horizon Alert

Summary of the vulnerability and why it matters

An authorization bypass vulnerability in the InfusedWoo Pro WordPress plugin could allow unauthenticated attackers to delete any posts, pages, products, or orders. It can also mass-delete comments or change post statuses. This issue demands attention as it could lead to significant data loss and disruption for e-commerce operations.

Allows unauthorized deletion of critical business data.
Affects e-commerce sites using the plugin.
Unauthenticated access makes it broadly exploitable.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker could abuse this flaw to gain administrative control over specific website content. They could target the plugin's endpoints to delete posts, pages, products, or orders, mass-delete comments, or alter post statuses without needing any credentials. This effectively allows them to deface or disrupt the website's content and e-commerce operations.

Unauthenticated access is sufficient.
Targets plugin administrative actions.
Deletes or modifies critical content.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability allows unauthenticated attackers to bypass authorization checks, leading to severe data manipulation actions like permanent deletion of posts, pages, products, or orders, mass comment deletion, and status changes. Such broad and destructive capabilities make it a highly attractive target for attackers aiming to cause significant damage or disruption to a website.

Exploitable remotely by unauthenticated users.
High impact on data integrity and availability.
Plugin is part of e-commerce platforms.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize blocking unauthenticated access to the InfusedWoo Pro plugin's operations. Investigate logs for any signs of post deletion, mass comment deletion, or status changes. If malicious activity is detected, isolate affected WordPress sites immediately.

Block unauthorized API access.
Monitor for unauthorized content deletion.
Update plugin to version 5.1.3 or later.

Frequently asked questions

What is the main security issue in the InfusedWoo Pro WordPress plugin?

The InfusedWoo Pro plugin for WordPress has a critical authorization bypass vulnerability in all versions up to and including 5.1.2. This flaw allows unauthenticated attackers to perform unauthorized actions, such as deleting any posts, pages, products, or orders, mass-deleting all comments, and changing post statuses.

What type of weakness allows attackers to delete WordPress content via InfusedWoo Pro?

The vulnerability stems from a missing or improperly implemented authorization check, classified as CWE-862. This weakness means the plugin does not adequately verify if a user has the necessary permissions before executing actions, enabling unauthenticated attackers to manipulate content.

How can an attacker exploit the InfusedWoo Pro vulnerability to delete arbitrary posts?

An unauthenticated attacker can exploit this vulnerability by targeting the plugin's endpoints that handle post, page, product, or order management. Since the plugin fails to properly verify authorization, attackers can send requests to these endpoints to permanently delete or modify content without needing any login credentials.

What is the practical impact of the InfusedWoo Pro vulnerability on e-commerce sites?

The InfusedWoo Pro vulnerability poses a significant threat to e-commerce operations by allowing unauthenticated attackers to permanently delete critical business data like products and orders, mass-delete comments, or alter post statuses. This can lead to substantial data loss, disrupt sales, and damage the site's integrity. The Halo Surface Signal indicates this is 'Likely' to be exploited due to the public-facing nature of WordPress e-commerce sites.

What steps should be taken to mitigate the InfusedWoo Pro vulnerability?

To mitigate this vulnerability, it is recommended to block unauthenticated access to the InfusedWoo Pro plugin's operations and update the plugin to version 5.1.3 or later. Additionally, monitor WordPress site logs for any signs of unauthorized content deletion or status changes and isolate affected sites if malicious activity is detected.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.