Description
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Infility Infility Global infility-global allows Path Traversal.This issue affects Infility Global: from n/a through <= 2.15.06.
Published: 2025-08-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An improper limitation of pathname to a restricted directory flaw in the Infility Global WordPress plugin permits an attacker to craft a request that includes a traversal sequence, enabling the download of arbitrary files from the server. This path traversal vulnerability can expose sensitive files such as configuration data, passwords, or other confidential information. The weakness is classified as CWE-22.

Affected Systems

Infility: Infility Global plugin is affected. The vulnerability applies to all versions from the plugin’s earliest release up through 2.15.06. No versions beyond 2.15.06 have been confirmed to contain the flaw.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low likelihood of exploitation at present. The vulnerability is not listed in CISA’s KEV catalog. Based on the description, the attack vector is likely remote via a web request to the plugin’s endpoint that accepts a path parameter; it is inferred that authentication is not required, though the origin description does not explicitly state this. Exploitation would involve manipulating the path to read files outside the intended directory.

Generated by OpenCVE AI on April 30, 2026 at 08:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Infility Global plugin to the latest version available, which must be greater than 2.15.06.
  • If an update is not immediately feasible, configure the web server or application firewall to block directory traversal patterns (e.g., reject URLs containing '../' sequences).
  • Continuously monitor web server logs for unexpected file download attempts and review access to sensitive files.

Generated by OpenCVE AI on April 30, 2026 at 08:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-25298 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Infility Infility Global allows Path Traversal. This issue affects Infility Global: from n/a through 2.14.7.
History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Infility Infility Global infility-global allows Path Traversal.This issue affects Infility Global: from n/a through <= 2.15.11. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Infility Infility Global infility-global allows Path Traversal.This issue affects Infility Global: from n/a through <= 2.15.06.
Title WordPress Infility Global <= 2.15.09 - Arbitrary File Download vulnerability WordPress Infility Global <= 2.15.06 - Arbitrary File Download vulnerability

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Infility Infility Global infility-global allows Path Traversal.This issue affects Infility Global: from n/a through <= 2.15.06. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Infility Infility Global infility-global allows Path Traversal.This issue affects Infility Global: from n/a through <= 2.15.11.
Title WordPress Infility Global <= 2.15.06 - Arbitrary File Download vulnerability WordPress Infility Global <= 2.15.09 - Arbitrary File Download vulnerability
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Infility Infility Global allows Path Traversal. This issue affects Infility Global: from n/a through 2.14.7. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Infility Infility Global infility-global allows Path Traversal.This issue affects Infility Global: from n/a through <= 2.15.06.
Title WordPress Infility Global <= 2.14.7 - Arbitrary File Download Vulnerability WordPress Infility Global <= 2.15.06 - Arbitrary File Download vulnerability
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 21 Aug 2025 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Infility
Infility infility Global
Wordpress
Wordpress wordpress
Vendors & Products Infility
Infility infility Global
Wordpress
Wordpress wordpress

Wed, 20 Aug 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 Aug 2025 08:15:00 +0000

Type Values Removed Values Added
Description Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Infility Infility Global allows Path Traversal. This issue affects Infility Global: from n/a through 2.14.7.
Title WordPress Infility Global <= 2.14.7 - Arbitrary File Download Vulnerability
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Infility Infility Global
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:12:48.004Z

Reserved: 2025-05-07T10:45:13.130Z

Link: CVE-2025-47650

cve-icon Vulnrichment

Updated: 2025-08-20T13:42:06.928Z

cve-icon NVD

Status : Deferred

Published: 2025-08-20T08:15:30.087

Modified: 2026-04-28T19:32:30.970

Link: CVE-2025-47650

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T08:15:32Z

Weaknesses