cleantalk
Vulnerabilities and Security Researches

Infility Global, CVE-2026-8685

CVE, Research URL

CVE-2026-8685

Home page URL

Security reports for Infility Global

Application

Infility Global

Published on
May 20, 2026
Research Description
The Infility Global plugin for WordPress is vulnerable to SQL Injection via the 'orderby' and 'order' parameters in all versions up to, and including, 2.15.16. This is due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query within the show_control_data::post_list() function, which is registered as an admin menu page with only the 'read' capability. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions
max 2.15.16.
Status
vulnerable
Previous vulnerability researches
Buooy Sticky Header (CVE-2024-51699) , Nov 08, 2024
New vulnerability
WP Directory Kit (CVE-2026-42672) , May 23, 2026
診断ジェネレータ作成プラグイン (CVE-2026-5293) , May 23, 2026
MyCryptoCheckout – Bitcoin, Ethereum, and 100+ altcoins for WooCommerce (CVE-2026-45209) , May 23, 2026
SponsorMe (CVE-2026-8626) , May 23, 2026
Infility Global (CVE-2026-8685) , May 23, 2026