PatchSiren cyber security CVE debrief
CVE-2026-8685 infility CVE debrief
A SQL injection vulnerability in the Infility Global WordPress plugin allows authenticated attackers with Subscriber-level access or higher to extract sensitive database information. The flaw exists in the show_control_data::post_list() function, which fails to properly escape and prepare user-supplied 'orderby' and 'order' parameters. The function is registered as an admin menu page requiring only the 'read' capability, making it accessible to low-privileged users. The vulnerability affects all versions up to and including 2.15.16. The CVSS 3.1 score of 6.5 reflects network attack vector, low attack complexity, low privileges required, no user interaction, and high confidentiality impact with no integrity or availability impact.
- Vendor
- infility
- Product
- Infility Global
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
WordPress site administrators using Infility Global plugin; security teams managing WordPress installations with open registration or Subscriber-level accounts; compliance officers tracking authenticated access control violations
Technical summary
The Infility Global plugin's show_control_data::post_list() function constructs SQL queries using unsanitized user input from the 'orderby' and 'order' GET parameters. The function is hooked to an admin menu page registered with add_menu_page() using the 'read' capability, which WordPress grants to all authenticated users including Subscribers. The vulnerable code directly interpolates these parameters into ORDER BY clauses without $wpdb->prepare() or proper escaping. This enables time-based or UNION-based SQL injection attacks that can extract arbitrary database contents including user credentials, options, and post content. The CVSS vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N indicates a medium-severity confidentiality breach with no integrity or availability impact.
Defensive priority
high
Recommended defensive actions
- Update Infility Global plugin to version 2.15.17 or later when available
- If immediate patching is not possible, restrict Subscriber-level user registrations and audit existing low-privilege accounts
- Implement Web Application Firewall (WAF) rules to detect and block SQL injection attempts in orderby and order parameters
- Review admin menu page capability requirements; consider custom code to elevate the 'read' capability requirement if vendor patch is delayed
- Monitor database query logs for anomalous UNION-based or time-based SQL injection patterns from authenticated sessions
- Disable the plugin temporarily if the show_control_data functionality is not business-critical
Evidence notes
Vulnerability confirmed via WordPress Plugin Trac source code analysis at lines 34, 74, 78, and 84 of show-control-data.php. Wordfence assigned CVE and published technical details. NVD status is 'Deferred' as of disclosure date.
Official resources
2026-05-20