PT-2026-42085 · WordPress · Infility Global

·

CVE-2026-8685

·

Published

2026-05-20

·

Updated

2026-05-28

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Infility Global versions prior to 2.15.17
Description The Infility Global plugin for WordPress contains a flaw allowing authenticated attackers with Subscriber-level access and above to extract sensitive information from the database. This occurs because the show control data::post list() function, which is registered as an admin menu page with 'read' capability, fails to sufficiently escape user-supplied parameters or prepare the SQL query. Attackers can append additional SQL queries via the 'orderby' and 'order' parameters.
Recommendations Update the plugin to a version later than 2.15.16. As a temporary workaround, restrict access to the show control data::post list() function or avoid using the orderby and order parameters until the update is applied.

Fix

SQL injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-8685

Affected Products

Infility Global