Description
The Infility Global plugin for WordPress is vulnerable to SQL Injection via the 'orderby' and 'order' parameters in all versions up to, and including, 2.15.16. This is due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query within the show_control_data::post_list() function, which is registered as an admin menu page with only the 'read' capability. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-05-20
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Infility Global plugin for WordPress contains a SQL injection flaw in the show_control_data::post_list() function where the 'orderby' and 'order' parameters are concatenated into a database query without proper escaping. An attacker who is authenticated with Subscriber level access or higher can supply crafted values for these parameters to inject and execute arbitrary SQL, enabling extraction of sensitive information stored in the WordPress database. The vulnerability could be leveraged to compromise database confidentiality and potentially alter data if the attacker chooses destructive queries.

Affected Systems

Infility Global plugin for WordPress, versions up to and including 2.15.16.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. Exploitation requires only a legitimate WordPress user with Subscriber or higher privileges, making the attack vector a web application context. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no widespread publicly known exploitation at the time of assessment. Nevertheless, any authenticated user in the specified roles can use the vulnerable parameters to retrieve database content, so the risk of confidential data exposure remains significant.

Generated by OpenCVE AI on May 20, 2026 at 03:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Infility Global plugin to version 2.15.17 or newer, where the vulnerability is fixed.
  • If an immediate upgrade is infeasible, disable or delete the show_control_data widget or any dashboard page that uses the vulnerable parameters until the plugin can be updated.
  • Limit Subscriber and higher role permissions so that only trusted users with administrative duties have access to the dashboard features that trigger the vulnerable code; consider revoking unnecessary dashboard access for lower‑level roles.
  • As a temporary workaround, modify the plugin’s show_control_data.php to validate or whitelist the 'orderby' and 'order' inputs, ensuring they contain only approved column names or sort directions.

Generated by OpenCVE AI on May 20, 2026 at 03:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 04:30:00 +0000

Type Values Removed Values Added
First Time appeared Infility
Infility infility Global
Wordpress
Wordpress wordpress
Vendors & Products Infility
Infility infility Global
Wordpress
Wordpress wordpress

Wed, 20 May 2026 02:15:00 +0000

Type Values Removed Values Added
Description The Infility Global plugin for WordPress is vulnerable to SQL Injection via the 'orderby' and 'order' parameters in all versions up to, and including, 2.15.16. This is due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query within the show_control_data::post_list() function, which is registered as an admin menu page with only the 'read' capability. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Infility Global <= 2.15.16 - Authenticated (Subscriber+) SQL Injection via 'orderby' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Infility Infility Global
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T15:45:35.201Z

Reserved: 2026-05-15T14:19:38.838Z

Link: CVE-2026-8685

cve-icon Vulnrichment

Updated: 2026-05-20T14:25:15.953Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T02:16:41.143

Modified: 2026-05-20T13:54:54.890

Link: CVE-2026-8685

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T04:15:21Z

Weaknesses