CVE-2026-8163
Received Received - Intake
SQL Injection in Infility Global WordPress Plugin

Publication date: 2026-06-23

Last updated on: 2026-06-23

Assigner: WPScan

Description
The Infility Global WordPress plugin before 2.15.19 does not properly sanitize and escape some parameters before using them in SQL statements, leading to a SQL Injection vulnerability exploitable by authenticated users with Subscriber-level access and above.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-23
Last Modified
2026-06-23
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-8163
EUVD
EUVD-2026-38417
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
infility_global wordpress_plugin to 2.15.19 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-8163 is a SQL Injection vulnerability in the Infility Global WordPress plugin versions before 2.15.19.

The issue occurs because the plugin does not properly sanitize and escape certain parameters before using them in SQL statements.

Authenticated users with Subscriber-level access or higher can exploit this vulnerability by sending a specially crafted GET request with a malicious 'order' parameter.

This allows attackers to execute arbitrary SQL commands, including time-based or UNION-based SQL injection attacks.

Impact Analysis

This vulnerability can allow an attacker with at least Subscriber-level access to execute arbitrary SQL commands on the affected WordPress site.

Potential impacts include unauthorized data access, data modification, or disruption of the database.

Because the attacker can manipulate SQL queries, they might extract sensitive information or cause delays and errors in the website's operation.

Detection Guidance

This vulnerability can be detected by sending crafted GET requests to the Infility Global WordPress plugin with a malicious 'order' parameter to test for SQL Injection.

A common detection method is to perform time-based SQL injection tests by injecting SQL commands such as SLEEP() in the 'order' parameter and observing if there is a delay in the response time (e.g., approximately 5 seconds delay).

  • Use curl or similar tools to send a GET request with a payload like: curl "http://target-site.com/wp-content/plugins/infility_global/?order=1+AND+SLEEP(5)--"
  • Monitor the response time; a significant delay indicates the presence of the SQL Injection vulnerability.
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable plugin to only trusted users with Subscriber-level access or higher, as the vulnerability requires authenticated access.

Since the plugin was removed from WordPress.org without a fix, the best immediate action is to disable or uninstall the Infility Global WordPress plugin if possible.

Additionally, monitor your logs for suspicious SQL injection attempts and consider implementing Web Application Firewall (WAF) rules to block malicious requests targeting the 'order' parameter.

Compliance Impact

The vulnerability allows authenticated users with Subscriber-level access or higher to perform SQL Injection attacks, potentially leading to unauthorized access or manipulation of sensitive data stored in the database.

Such unauthorized access or data manipulation can result in violations of data protection standards and regulations like GDPR and HIPAA, which require the protection of personal and sensitive information against unauthorized access and breaches.

Therefore, if exploited, this vulnerability could compromise compliance with these regulations by exposing or altering protected data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8163. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart