CVE-2026-7842
Deferred
Deferred - Pending Action
SQL Injection in Infility Global WordPress Plugin
Vulnerability report for CVE-2026-7842, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-06-23
Last updated on: 2026-06-23
Assigner: WPScan
Description
Description
The Infility Global Infility Global WordPress plugin before 2.15.20 for WordPress does not sanitize or validate the orderby and order parameters in the import_list(), url_detail(), and file_detail() admin page callbacks before using them in SQL queries, allowing authenticated attackers with Editor-level access or higher to perform time-based blind SQL injection and extract sensitive data from the database. The ImportData module must be enabled via the Infility Global WordPress plugin before 2.15.20's module toggle page.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| infility_global | wordpress_plugin | to 2.15.20 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |