The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection through the 'infility_get_data' API action in all releases up to version 2.14.46. The flaw stems from insufficient escaping of user‑supplied input and the absence of prepared statements, which lets an attacker embed additional SQL statements when the server multiple statements per query. This can be used to read sensitive data from the WordPress database, potentially compromising confidentiality of site content and stored credentials. The weakness is classified as CWE‑89, an SQL Injection vulnerability where untrusted data reaches an SQL parser without proper sanitization.

All instances of the Infility Global WordPress plugin with version 2.14.46 or earlier are affected. The affected product, offered by Infility, supports WordPress sites where the plugin has been installed and the default 'infility_get_data' API endpoint is exposed.

The CVSS score of 7.5 places the issue in the high‑severity range, while the EPSS score of less than 1% indicates a low probability of exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog, suggesting no public exploits have been discovered yet. Based on the description, the likely attack vector is an unauthenticated web request to the plugin’s API endpoint, which can be performed from any IP that bypasses the IP whitelist due to a predictable API key. Once the endpoint is accessed, an attacker can inject SQL fragments to retrieve database data.