Executive Summary

The Infility Global WordPress plugin before version 2.15.20 contains a vulnerability where it does not properly sanitize or validate the 'orderby' and 'order' parameters in certain admin page callbacks (import_list(), url_detail(), and file_detail()).

This flaw allows authenticated users with Editor-level access or higher to perform a time-based blind SQL injection attack by injecting malicious SQL code through these parameters.

Exploitation requires the ImportData module to be enabled in the plugin. Attackers can extract sensitive data from the database by manipulating the SQL queries executed by the plugin.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow attackers with Editor-level access or higher to extract sensitive data from your WordPress database without proper authorization.

Since it is a time-based blind SQL injection, attackers can slowly retrieve confidential information by observing response delays, potentially compromising user data, site content, or other sensitive information stored in the database.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to exploit the time-based blind SQL injection in the orderby parameter of the Infility Global WordPress plugin's ImportData module pages.

A proof of concept involves enabling the ImportData module, logging in as a user with Editor-level access or higher, and appending SQL payloads to the orderby parameter in the URL of the import_list(), url_detail(), or file_detail() admin pages.

• Enable the ImportData module in the Infility Global WordPress plugin.
• Log in as an Editor or higher.
• Use a browser or a tool like curl to send requests to the import_list() page URL with a crafted orderby parameter containing SQL payloads.
• Observe response delays indicating a successful time-based blind SQL injection.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Infility Global WordPress plugin to version 2.15.20 or later, where the issue has been fixed.

Additionally, if updating immediately is not possible, consider disabling the ImportData module to prevent exploitation, as the vulnerability requires this module to be enabled.

Limit Editor-level access to trusted users only, as the vulnerability requires authenticated Editor or higher privileges.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated attackers with Editor-level access or higher to perform time-based blind SQL injection and extract sensitive data from the database.

Extraction of sensitive data due to this vulnerability could lead to non-compliance with data protection regulations such as GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Therefore, exploitation of this vulnerability may result in violations of these standards by exposing confidential data.

Useful 0 Not Useful 0