Seungryeol Baek

**Name of the Vulnerable Software and Affected Versions** Infility Global versions prior to 2.15.17 **Description** The Infility Global plugin for WordPress contains a flaw allowing authenticated attackers with Subscriber-level access and above to extract sensitive information from the database. This occurs because the `show control data::post list()` function, which is registered as an admin menu page with 'read' capability, fails to sufficiently escape user-supplied parameters or prepare the SQL query. Attackers can append additional SQL queries via the 'orderby' and 'order' parameters. **Recommendations** Update the plugin to a version later than 2.15.16. As a temporary workaround, restrict access to the `show control data::post list()` function or avoid using the `orderby` and `order` parameters until the update is applied.

**Name of the Vulnerable Software and Affected Versions** Kubio versions prior to 2.7.3 **Description** Insufficient capability checks in the `kubio rest pre insert import assets()` function, which is hooked to the `rest pre insert {post type}` filter for posts, pages, templates, and template parts, allow for arbitrary file upload. When a post is created or updated via the REST API, the software parses block attributes for URLs in the `kubio` attribute namespace and automatically imports them via `importRemoteFile()` without verifying if the user possesses the `upload files` capability. This allows authenticated attackers with Contributor-level access or higher to bypass standard media upload restrictions and upload files from external URLs to the media library, creating attachment posts in the database. **Recommendations** Update to a version newer than 2.7.2.