Impact
The Infility Global WordPress plugin contains an SQL Injection flaw caused by unsanitized order parameters that are directly incorporated into database queries. Authenticated users with Subscriber-level privileges or higher can inject malicious SQL code through the order interface, potentially leading to data exfiltration, data tampering, or unauthorized database access. This flaw is classified as CWE‑89 and represents a failure to validate and escape user input before use in a query.
Affected Systems
Infility Global WordPress plugin versions earlier than 2.15.19 are affected. The flaw exists in the core plugin code and applies to any WordPress site that installs the plugin before the stated version, regardless of other configurations.
Risk and Exploitability
The vulnerability is exploitable only by authenticated users possessing at least Subscriber permissions. The EPSS score of <1% indicates a low but nonzero likelihood of exploitation, and the issue is not listed in the CISA KEV catalog, suggesting no publicly known exploits. The CVSS score of 8.8 reflects high severity; if an attacker gains the necessary access, the risk to data confidentiality and integrity is very high.
OpenCVE Enrichment