CVE-2025-15268
Unknown Unknown - Not Provided
Unauthenticated SQL Injection in Infility Global WordPress Plugin

Publication date: 2026-02-04

Last updated on: 2026-02-04

Assigner: Wordfence

Description
The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append - with certain server configurations - additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-04
Last Modified
2026-02-04
Generated
2026-06-16
AI Q&A
2026-02-04
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15268
EUVD
EUVD-2025-206786
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
infility global_plugin to 2.14.46 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "CVE-2025-15268 is a security vulnerability in the Infility Global WordPress plugin affecting all versions up to and including 2.14.46. The issue is an unauthenticated SQL Injection vulnerability in the 'infility_get_data' API action. This happens because the plugin does not properly escape user-supplied parameters and does not sufficiently prepare the SQL queries, allowing attackers without authentication to append additional SQL commands to existing queries."}, {'type': 'paragraph', 'content': "This vulnerability can enable attackers, depending on server configuration, to extract sensitive information from the plugin's database by injecting malicious SQL code. The vulnerability was fixed in version 2.14.52 by adding nonce verification and tightening security checks on the API endpoint to prevent unauthorized access."}] [1]

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability can have significant impacts including unauthorized data exposure. Because it allows unauthenticated attackers to perform SQL Injection, sensitive information stored in the database can be extracted without any login or permission.'}, {'type': 'list_item', 'content': "Exposure of sensitive data from the WordPress site's database."}, {'type': 'list_item', 'content': 'Potential compromise of user privacy and site confidentiality.'}, {'type': 'list_item', 'content': 'Increased risk of further attacks leveraging the extracted data.'}, {'type': 'paragraph', 'content': 'The vulnerability does not directly affect data integrity or availability (no data modification or denial of service), but the confidentiality breach alone can be critical.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "The vulnerability exists in the Infility Global WordPress plugin versions up to 2.14.46 in the 'infility_get_data' API action, which is vulnerable to unauthenticated SQL Injection. Detection can focus on monitoring or testing for unauthorized access attempts to this API endpoint."}, {'type': 'paragraph', 'content': "One approach is to check for HTTP requests targeting the 'infility_get_data' AJAX endpoint without proper authentication or nonce verification."}, {'type': 'paragraph', 'content': 'Suggested commands to detect potential exploitation attempts include using curl or similar tools to send crafted requests to the vulnerable endpoint and observe responses:'}, {'type': 'list_item', 'content': "curl -v 'https://yourwordpresssite.com/wp-admin/admin-ajax.php?action=infility_get_data&param=1'"}, {'type': 'list_item', 'content': "grep or monitor web server logs for requests containing 'action=infility_get_data' without valid nonce or authentication tokens."}, {'type': 'list_item', 'content': 'Use network intrusion detection systems (IDS) or web application firewalls (WAF) to flag suspicious SQL injection patterns in requests to this endpoint.'}, {'type': 'paragraph', 'content': "Since the vulnerability involves SQL injection via user-supplied parameters, testing with typical SQL injection payloads in the 'infility_get_data' API parameters can help detect if the system is vulnerable."}] [1]

Mitigation Strategies

[{'type': 'paragraph', 'content': "The primary mitigation step is to update the Infility Global WordPress plugin to version 2.14.52 or later, where the vulnerability has been fixed by adding nonce verification and tightening security checks on the 'infility_get_data' API endpoint."}, {'type': 'paragraph', 'content': 'If immediate updating is not possible, consider temporarily disabling or restricting access to the vulnerable AJAX endpoint to prevent unauthenticated access.'}, {'type': 'paragraph', 'content': "Implement web application firewall (WAF) rules to block suspicious requests targeting the 'infility_get_data' action, especially those containing SQL injection patterns."}, {'type': 'paragraph', 'content': 'Review and enforce proper authentication and authorization checks on AJAX actions in the WordPress installation.'}, {'type': 'paragraph', 'content': 'Monitor logs for suspicious activity related to this plugin and the vulnerable endpoint.'}] [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15268. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart