Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infility Infility Global infility-global allows SQL Injection.This issue affects Infility Global: from n/a through <= 2.15.06.
Published: 2026-01-05
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Infility Global plugin for WordPress contains a flaw where user‑supplied input is concatenated directly into a database query without proper sanitization. An attacker can exploit this to inject arbitrary SQL statements, enabling the reading, modification, or deletion of data stored in the WordPress database. The vulnerability compromises data confidentiality and integrity, and could also affect availability if critical data is corrupted. The issue is classified as CWE‑89.

Affected Systems

Infility Global plugin versions up to and including 2.15.06 are affected. All releases from the earliest available version through 2.15.06 contain the vulnerability, impacting any WordPress site that has installed one of these versions.

Risk and Exploitability

The CVSS score of 9.3 flags the flaw as critical and indicates high impact. Its EPSS score of less than 1% suggests that, at present, exploitation is unlikely, and it is not listed in the CISA KEV catalog. The attack vector is inferred to be remote, requiring an HTTP request to the plugin’s input endpoint. While the plugin can receive data from various sources, anyone with access to the site could potentially craft a malicious request, so the risk remains significant for unpatched installations.

Generated by OpenCVE AI on April 29, 2026 at 17:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Infility Global plugin to a version newer than 2.15.06, where the SQL injection vulnerability has been addressed.
  • Configure the WordPress database user to have the minimal privileges required by the site, limiting the damage potential of any injection attack.
  • Regularly audit installed plugins and core WordPress to ensure they are kept current and that no unnecessary plugins remain active, thereby reducing the attack surface.

Generated by OpenCVE AI on April 29, 2026 at 17:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 18:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infility Infility Global infility-global allows SQL Injection.This issue affects Infility Global: from n/a through <= 2.15.11. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infility Infility Global infility-global allows SQL Injection.This issue affects Infility Global: from n/a through <= 2.15.06.
Title WordPress Infility Global plugin <= 2.15.11 - SQL Injection vulnerability WordPress Infility Global plugin <= 2.15.06 - SQL Injection vulnerability

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infility Infility Global infility-global allows SQL Injection.This issue affects Infility Global: from n/a through <= 2.15.06. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infility Infility Global infility-global allows SQL Injection.This issue affects Infility Global: from n/a through <= 2.15.11.
Title WordPress Infility Global plugin <= 2.15.06 - SQL Injection vulnerability WordPress Infility Global plugin <= 2.15.11 - SQL Injection vulnerability
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infility Infility Global allows SQL Injection.This issue affects Infility Global: from n/a through 2.14.48. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infility Infility Global infility-global allows SQL Injection.This issue affects Infility Global: from n/a through <= 2.15.06.
Title WordPress Infility Global plugin <= 2.14.48 - SQL Injection vulnerability WordPress Infility Global plugin <= 2.15.06 - SQL Injection vulnerability
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 06 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 06 Jan 2026 14:30:00 +0000

Type Values Removed Values Added
First Time appeared Infility
Infility infility Global
Wordpress
Wordpress wordpress
Vendors & Products Infility
Infility infility Global
Wordpress
Wordpress wordpress

Mon, 05 Jan 2026 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infility Infility Global allows SQL Injection.This issue affects Infility Global: from n/a through 2.14.48.
Title WordPress Infility Global plugin <= 2.14.48 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Infility Infility Global
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:32.112Z

Reserved: 2025-12-24T14:00:24.759Z

Link: CVE-2025-68865

cve-icon Vulnrichment

Updated: 2026-01-06T15:45:08.643Z

cve-icon NVD

Status : Deferred

Published: 2026-01-05T11:17:42.267

Modified: 2026-04-28T19:36:02.633

Link: CVE-2025-68865

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T17:45:16Z

Weaknesses