WordPress Plugin Vulnerabilities

InfusedWoo Pro < 5.1.3 - Unauthenticated Arbitrary File Read via 'url' Parameter

Description

The InfusedWoo Pro plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 5.1.2 via the popup_submit. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services.

Affects Plugins

Plugin icon
infusedwooPRO
Fixed in 5.1.3

References

CVE
CVE-2026-6514
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/76b75e61-e7f8-41cc-ab4f-e6ca42d68308

Classification

Type
SSRF
OWASP top 10
A1: Injection
CWE
CWE-918
CVSS
7.5 (high)

Miscellaneous

Original Researcher
Osvaldo Noe Gonzalez Del Rio (Os)
Verified
No
WPVDB ID
412fd07a-98d7-4426-aa6d-11a5d7c79737

Timeline

Publicly Published
2026-05-13 (about 12 days ago)
Added
2026-05-13 (about 12 days ago)
Last Updated
2026-05-14 (about 12 days ago)

Other

Published
Title
Published
2022-10-21
Title
Better Messages < 1.9.10.69 - Subscriber+ SSRF
Published
2023-05-30
Title
Download Monitor < 4.8.2 - Admin+ SSRF
Published
2025-02-27
Title
URL Media Uploader < 1.0.1 - Authenticated (Author+) Server-Side Request Forgery via DNS Rebinding
Published
2018-01-20
Title
Google Forms <= 0.91 - Unauthenticated Server-Side Request Forgery (SSRF)
Published
2025-03-21
Title
Make Builder < 1.1.11 - Authenticated (Subscriber+) Server-Side Request Forgery via make_builder_ajax_subscribe Function