Vulnerabilities and security researches forinfility-global infility-global
Direction: ascendingJan 08, 2025
Infility Global # CVE-2024-11496
- CVE, Research URL
- Home page URL
- Application
- Date
- Jan 07, 2025
- Research Description
- The Infility Global plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the infility_global_ajax function in all versions up to, and including, 2.9.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin options and potentially break the site.
- Affected versions
-
max 2.9.9.
- Status
-
vulnerable
Infility Global # CVE-2024-12290
- CVE, Research URL
- Home page URL
- Application
- Date
- Jan 07, 2025
- Research Description
- The Infility Global plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘set_type’ parameter in all versions up to, and including, 2.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. CVE-2024-12723 is a duplicate of this issue.
- Affected versions
-
max 2.9.9.
- Status
-
vulnerable
Jan 29, 2025
Infility Global # CVE-2024-12723
- CVE, Research URL
- Home page URL
- Application
- Date
- Jan 28, 2025
- Research Description
- The Infility Global WordPress plugin through 2.9.8 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin.
- Affected versions
-
max 2.9.9.
- Status
-
vulnerable
Jun 14, 2025
Infility Global # CVE-2025-47651
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 09, 2025
- Research Description
- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infility Infility Global infility-global allows SQL Injection.This issue affects Infility Global: from n/a through <= 2.15.06.
- Affected versions
-
max 2.15.16.
- Status
-
vulnerable
Jul 04, 2025
Infility Global # CVE-2025-52774
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 27, 2025
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Reflected XSS.This issue affects Infility Global: from n/a through <= 2.15.06.
- Affected versions
-
max 2.15.16.
- Status
-
vulnerable
Jul 18, 2025
Infility Global # CVE-2025-47652
- CVE, Research URL
- Home page URL
- Application
- Date
- Jul 16, 2025
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Reflected XSS.This issue affects Infility Global: from n/a through <= 2.13.4.
- Affected versions
-
max 2.13.5.
- Status
-
vulnerable
Aug 21, 2025
Infility Global # CVE-2025-47650
- CVE, Research URL
- Home page URL
- Application
- Date
- Aug 20, 2025
- Research Description
- Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Infility Infility Global infility-global allows Path Traversal.This issue affects Infility Global: from n/a through <= 2.15.06.
- Affected versions
-
max 2.15.12.
- Status
-
vulnerable
Jan 10, 2026
Infility Global # CVE-2025-68865
- CVE, Research URL
- Home page URL
- Application
- Date
- Jan 05, 2026
- Research Description
- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infility Infility Global infility-global allows SQL Injection.This issue affects Infility Global: from n/a through <= 2.15.06.
- Affected versions
-
max 2.15.16.
- Status
-
vulnerable
Infility Global # CVE-2025-12968
- CVE, Research URL
- Home page URL
- Application
- Date
- Dec 12, 2025
- Research Description
- The Infility Global plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in all versions up to, and including, 2.14.42. This is due to the `upload_file` function in the `infility_import_file` class only validating the MIME type which can be easily spoofed, and the `import_data` function missing capability checks. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.
- Affected versions
-
max 2.14.43.
- Status
-
vulnerable
Jan 27, 2026
Infility Global # CVE-2025-68864
- CVE, Research URL
- Home page URL
- Application
- Date
- Jan 22, 2026
- Research Description
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Stored XSS.This issue affects Infility Global: from n/a through <= 2.15.11.
- Affected versions
-
max 2.15.10.
- Status
-
vulnerable
Feb 27, 2026
Infility Global # CVE-2025-15268
- CVE, Research URL
- Home page URL
- Application
- Date
- Feb 04, 2026
- Research Description
- The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append - with certain server configurations - additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- Affected versions
-
max 2.14.46.
- Status
-
vulnerable
May 23, 2026
Infility Global # CVE-2026-8685
- CVE, Research URL
- Home page URL
- Application
- Date
- May 20, 2026
- Research Description
- The Infility Global plugin for WordPress is vulnerable to SQL Injection via the 'orderby' and 'order' parameters in all versions up to, and including, 2.15.16. This is due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query within the show_control_data::post_list() function, which is registered as an admin menu page with only the 'read' capability. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- Affected versions
-
max 2.15.16.
- Status
-
vulnerable
Jun 25, 2026
Infility Global # CVE-2026-8163
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 23, 2026
- Research Description
- The Infility Global WordPress plugin before 2.15.19 does not properly sanitize and escape some parameters before using them in SQL statements, leading to a SQL Injection vulnerability exploitable by authenticated users with Subscriber-level access and above.
- Affected versions
-
max 2.15.19.
- Status
-
vulnerable
Infility Global # CVE-2026-7842
- CVE, Research URL
- Home page URL
- Application
- Date
- Jun 23, 2026
- Research Description
- The Infility Global Infility Global WordPress plugin before 2.15.20 for WordPress does not sanitize or validate the orderby and order parameters in the import_list(), url_detail(), and file_detail() admin page callbacks before using them in SQL queries, allowing authenticated attackers with Editor-level access or higher to perform time-based blind SQL injection and extract sensitive data from the database. The ImportData module must be enabled via the Infility Global WordPress plugin before 2.15.20's module toggle page.
- Affected versions
-
max 2.15.20.
- Status
-
vulnerable