MEDIUM
infility
CVE published 2026-05-20
CVE-2026-8685
A SQL injection vulnerability in the Infility Global WordPress plugin allows authenticated attackers with Subscriber-level access or higher to extract sensitive database information. The flaw exists in the show_control_data::post_list() function, which fails to properly escape and prepare user-supplied 'orderby' and 'order' parameters. The function is registered as an admin menu page requiring only the 'r [truncated]