Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Stored XSS.This issue affects Infility Global: from n/a through <= 2.15.11.
Published: 2026-01-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Stored cross-site scripting
Action: Apply Patch
AI Analysis

Impact

The vulnerability is an improper neutralization of input during web page generation (CWE-79) that allows attackers to store malicious JavaScript in the Infility Global WordPress plugin. Because the plugin fails to escape user-supplied data, arbitrary scripts can run in the browsers of authenticated or unauthenticated visitors, potentially leading to data theft, session hijacking, defacement or further compromise of the site.

Affected Systems

The affected product is the Infility Global plugin for WordPress. Versions from the initial release up to and including 2.15.11 are vulnerable. Any WordPress installation that has the plugin set to an affected version is at risk.

Risk and Exploitability

The CVSS score of 7.1 indicates a high damage potential for a successful exploit. The EPSS score of less than 1% suggests that, at the time of this analysis, the likelihood of a public exploit being used is low, and the vulnerability is not listed in the CISA KEV. Based on the description, it is inferred that attackers could exploit this flaw by inserting crafted payloads through any input field that the plugin stores, such as comment sections or contact forms. If the payload is executed in the browser of a site visitor, the attacker can hijack that visitor’s session or exfiltrate sensitive data.

Generated by OpenCVE AI on April 29, 2026 at 02:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Infility Global plugin to a version newer than 2.15.11.
  • If an upgrade is not immediately possible, remove or disable the plugin until an update is applied, or block the vulnerable input points by tightening validation or using a web‑application firewall.
  • Ensure that any remaining user-generated content is properly encoded or sanitized before rendering to prevent similar injection weaknesses.

Generated by OpenCVE AI on April 29, 2026 at 02:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Stored XSS.This issue affects Infility Global: from n/a through <= 2.15.12. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Stored XSS.This issue affects Infility Global: from n/a through <= 2.15.11.
Title WordPress Infility Global plugin <= 2.15.12 - Cross Site Scripting (XSS) vulnerability WordPress Infility Global plugin <= 2.15.11 - Cross Site Scripting (XSS) vulnerability

Tue, 28 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Stored XSS.This issue affects Infility Global: from n/a through <= 2.15.11. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Stored XSS.This issue affects Infility Global: from n/a through <= 2.15.12.
Title WordPress Infility Global plugin <= 2.15.11 - Cross Site Scripting (XSS) vulnerability WordPress Infility Global plugin <= 2.15.12 - Cross Site Scripting (XSS) vulnerability

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Stored XSS.This issue affects Infility Global: from n/a through <= 2.15.06. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Stored XSS.This issue affects Infility Global: from n/a through <= 2.15.11.
Title WordPress Infility Global plugin <= 2.15.06 - Cross Site Scripting (XSS) vulnerability WordPress Infility Global plugin <= 2.15.11 - Cross Site Scripting (XSS) vulnerability

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Stored XSS.This issue affects Infility Global: from n/a through <= 2.14.50. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Stored XSS.This issue affects Infility Global: from n/a through <= 2.15.06.
Title WordPress Infility Global plugin <= 2.14.50 - Cross Site Scripting (XSS) vulnerability WordPress Infility Global plugin <= 2.15.06 - Cross Site Scripting (XSS) vulnerability

Thu, 29 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 28 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Infility
Infility infility Global
Wordpress
Wordpress wordpress
Vendors & Products Infility
Infility infility Global
Wordpress
Wordpress wordpress

Thu, 22 Jan 2026 23:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Stored XSS.This issue affects Infility Global: from n/a through <= 2.14.50.
Title WordPress Infility Global plugin <= 2.14.50 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Infility Infility Global
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T14:32:38.383Z

Reserved: 2025-12-24T14:00:24.759Z

Link: CVE-2025-68864

cve-icon Vulnrichment

Updated: 2026-01-28T15:29:11.649Z

cve-icon NVD

Status : Deferred

Published: 2026-01-22T17:16:12.037

Modified: 2026-04-28T19:36:02.540

Link: CVE-2025-68864

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T02:45:35Z

Weaknesses