Description
The Infility Global WordPress plugin before 2.15.19 does not properly sanitize and escape some parameters before using them in SQL statements, leading to a SQL Injection vulnerability exploitable by authenticated users with Subscriber-level access and above.
Published: 2026-06-23
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Infility Global WordPress plugin contains an SQL Injection flaw caused by unsanitized order parameters that are directly incorporated into database queries. Authenticated users with Subscriber-level privileges or higher can inject malicious SQL code through the order interface, potentially leading to data exfiltration, data tampering, or unauthorized database access. This flaw is classified as CWE‑89 and represents a failure to validate and escape user input before use in a query.

Affected Systems

Infility Global WordPress plugin versions earlier than 2.15.19 are affected. The flaw exists in the core plugin code and applies to any WordPress site that installs the plugin before the stated version, regardless of other configurations.

Risk and Exploitability

The vulnerability is exploitable only by authenticated users possessing at least Subscriber permissions. The EPSS score of <1% indicates a low but nonzero likelihood of exploitation, and the issue is not listed in the CISA KEV catalog, suggesting no publicly known exploits. The CVSS score of 8.8 reflects high severity; if an attacker gains the necessary access, the risk to data confidentiality and integrity is very high.

Generated by OpenCVE AI on June 24, 2026 at 09:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor's patch by upgrading Infility Global to version 2.15.19 or later.
  • Limit Subscriber‑level privileges on sites where database modification is not required, ensuring users cannot alter order data.
  • Verify that other WordPress plugins and themes properly escape input and use parameterized queries to prevent similar injection flaws.

Generated by OpenCVE AI on June 24, 2026 at 09:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Infility
Infility infility Global
Wordpress
Wordpress wordpress
Vendors & Products Infility
Infility infility Global
Wordpress
Wordpress wordpress

Wed, 24 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89

Wed, 24 Jun 2026 04:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89

Wed, 24 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89

Tue, 23 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89

Tue, 23 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89

Tue, 23 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 23 Jun 2026 08:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-89

Tue, 23 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Description The Infility Global WordPress plugin before 2.15.19 does not properly sanitize and escape some parameters before using them in SQL statements, leading to a SQL Injection vulnerability exploitable by authenticated users with Subscriber-level access and above.
Title Infility Global < 2.15.19 - Subscriber+ SQL Injection via order Parameter
References

Subscriptions

Infility Infility Global
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-23T12:26:45.047Z

Reserved: 2026-05-08T11:17:03.909Z

Link: CVE-2026-8163

cve-icon Vulnrichment

Updated: 2026-06-23T12:25:46.338Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:06:29Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')