The Infility Global WordPress plugin, versions earlier than 2.15.20, fails to validate or sanitize the orderby and order parameters used in the import_list(), url_detail(), and file_detail() callbacks. As a result, an authenticated attacker with Editor-level access or higher can craft time-based blind SQL injection payloads that are concatenated into database queries, allowing the attacker to exfiltrate sensitive database content through response timing differences.

Any WordPress site that has the Infility Global plugin installed in a version prior to 2.15.20 and has the ImportData module enabled via the plugin’s module toggle page is affected. Sites that provide Editor-level or higher users with access to the plugin’s admin interface fall within the risk scope.

The vulnerability requires authenticated access but grants the ability to perform a blind SQL injection, which can lead to full database compromise. The CVSS score is not disclosed, but the attack requires legitimate credentials and the ImportData module to be active, limiting the attacker pool to users with Editor or higher privileges. EPSS information is unavailable and the flaw is not listed in CISA’s KEV catalog, suggesting that public exploitation is currently low. However, within organizations where Editor users are compromised or abusing credentials, the potential data theft risk is high.