Critical Unpatched Authorization Flaw in InfusedWoo Pro Exposes WordPress Sites to Unauthenticated Data Deletion

A critical missing authorization vulnerability has been identified in InfusedWoo Pro, a WordPress plugin widely used for integrating WooCommerce with the Infusionsoft CRM platform. Tracked as CVE-2026-6512 and classified under CWE-862 (Missing Authorization), the flaw affects all versions up to and including 5.1.2. The vulnerability allows unauthenticated remote attackers to delete posts, orders, and additional site data without any credentials or user interaction, creating a severe attack surface for any WordPress deployment running the plugin.

The specific weakness stems from a missing authorization check in a critical function, enabling threat actors to send crafted requests directly to affected endpoints. Because no authentication is required to exploit the flaw, mass exploitation scans could be launched against internet-facing WordPress sites in short order. Security researchers at OffSeq's threat intelligence platform have flagged the vulnerability as critical, and a full technical breakdown is available via their advisory dashboard.

At the time of disclosure, no official patch had been released by the plugin vendor. Site administrators are advised to immediately restrict access to the plugin or disable it entirely pending a security update. Organizations should monitor vendor advisories for patches and consider implementing web application firewall rules to block anomalous requests targeting InfusedWoo Pro endpoints. The exposure is particularly concerning given the plugin's role in e-commerce and customer relationship management workflows, where deleted orders or posts could disrupt business operations and compromise data integrity.