Vulnerability Brief

CVE-2026-7842

What this means for your business

A security vulnerability in the Infility Global WordPress plugin means that a hacker with access to your website could potentially extract sensitive information from your database, such as passwords or financial data. This could happen if an attacker with editor-level access or higher exploits the vulnerability. To protect your business, it's essential to update the plugin to the latest version, which fixes this issue, and to ensure that you're regularly monitoring your website for any signs of unauthorized activity.

Severity: MEDIUM
CVSS score: 6.8

Technical summary

The Infility Global Infility Global WordPress plugin before 2.15.20 for WordPress does not sanitize or validate the orderby and order parameters in the import_list(), url_detail(), and file_detail() admin page callbacks before using them in SQL queries, allowing authenticated attackers with Editor-level access or higher to perform time-based blind SQL injection and extract sensitive data from the database. The ImportData module must be enabled via the Infility Global WordPress plugin before 2.15.20's module toggle page.