ByteOS Network

NVD Vulnerability Details :

CVE-2025-15268

Awaiting Analysis

Source-security@wordfence.com

Published At-04 Feb, 2026 | 09:15

Updated At-04 Feb, 2026 | 16:33

The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append - with certain server configurations - additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	7.5	HIGH	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Type: Primary

Version: 3.1

Base score: 7.5

Base severity: HIGH

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Weaknesses

CWE ID	Type	Source
CWE-89	Primary	security@wordfence.com

CWE ID: CWE-89

Type: Primary

Source: security@wordfence.com

References

Hyperlink	Source	Resource
https://plugins.trac.wordpress.org/browser/infility-global/trunk/include/class/db.class.php?marks=41#L41	security@wordfence.com	N/A
https://plugins.trac.wordpress.org/browser/infility-global/trunk/include/class/str.class.php?marks=21#L21	security@wordfence.com	N/A
https://plugins.trac.wordpress.org/browser/infility-global/trunk/infility_global.php?marks=626#L626	security@wordfence.com	N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/648941b8-d1ab-4587-bd87-f23008ac9a00?source=cve	security@wordfence.com	N/A