The Infility Global Infility Global WordPress plugin before 2.15.20 for WordPress does not sanitize or validate the orderby and order parameters in the import_list(), url_detail(), and file_detail() admin page callbacks before using them in SQL queries, allowing authenticated attackers with Editor-level access or higher to perform time-based blind SQL injection and extract sensitive data from the database. The ImportData module must be enabled via the Infility Global WordPress plugin before 2.15.20's module toggle page.
PUBLISHED5.2
Infility Global < 2.15.20 - Editor+ SQL Injection via orderby Parameter
Problem type
- CWE-89 SQL Injection
Affected products
Unknown
Infility Global
< 2.15.20 - AFFECTED
References
GitHub Security Advisories
GHSA-jgxx-4fc8-ff8f
The Infility Global Infility Global WordPress plugin before 2.15.20 for WordPress does not...
https://github.com/advisories/GHSA-jgxx-4fc8-ff8fThe Infility Global Infility Global WordPress plugin before 2.15.20 for WordPress does not sanitize or validate the orderby and order parameters in the import_list(), url_detail(), and file_detail() admin page callbacks before using them in SQL queries, allowing authenticated attackers with Editor-level access or higher to perform time-based blind SQL injection and extract sensitive data from the database. The ImportData module must be enabled via the Infility Global WordPress plugin before 2.15.20's module toggle page.
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-7842Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-7842",
"assignerOrgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"assignerShortName": "WPScan",
"dateUpdated": "2026-06-23T06:00:02.093Z",
"dateReserved": "2026-05-05T08:56:09.151Z",
"datePublished": "2026-06-23T06:00:02.093Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "1bfdd5d7-9bf6-4a53-96ea-42e2716d7a81",
"shortName": "WPScan",
"dateUpdated": "2026-06-23T06:00:02.093Z"
},
"title": "Infility Global < 2.15.20 - Editor+ SQL Injection via orderby Parameter",
"descriptions": [
{
"lang": "en",
"value": "The Infility Global Infility Global WordPress plugin before 2.15.20 for WordPress does not sanitize or validate the orderby and order parameters in the import_list(), url_detail(), and file_detail() admin page callbacks before using them in SQL queries, allowing authenticated attackers with Editor-level access or higher to perform time-based blind SQL injection and extract sensitive data from the database. The ImportData module must be enabled via the Infility Global WordPress plugin before 2.15.20's module toggle page."
}
],
"affected": [
{
"vendor": "Unknown",
"product": "Infility Global",
"defaultStatus": "unaffected",
"versions": [
{
"version": "0",
"status": "affected",
"versionType": "semver",
"lessThan": "2.15.20"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-89 SQL Injection",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://wpscan.com/vulnerability/210303c4-0964-4a01-ac8e-13d7c7f424a2/",
"tags": [
"exploit",
"vdb-entry",
"technical-description"
]
}
],
"credits": [
{
"lang": "en",
"value": "Mustafa Ahmed",
"type": "finder"
},
{
"lang": "en",
"value": "WPScan",
"type": "coordinator"
}
]
}
}
}