How to fix CVE-2025-15268?

Within 24 hours: Inventory all WordPress installations and identify those with Infility Global plugin installed; disable or deactivate the plugin immediately if not business-critical. Within 7 days: Implement WAF rules to block requests to the 'infility_get_data' API action; conduct database access logs review for signs of exploitation. Within 30 days: Monitor vendor security advisories for patch availability; evaluate alternative plugins or solutions; restore from clean backups if compromise is suspected.

Is PHP affected by CVE-2025-15268?

WordPress sites using the Infility Global plugin (versions up to 2.14.46) are exposed to unauthenticated SQL injection attacks that could lead to unauthorized database access, data theft, or site compromise.

CVE-2025-15268

HIGH

2026-02-04 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Feb 04, 2026 - 09:15 nvd

HIGH 7.5

Description

The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append - with certain server configurations - additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Analysis

The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. [CVSS 7.5 HIGH]

Technical Context

Classified as CWE-89 (SQL Injection). Affects Infility Global (WordPress plugin). The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append - with certain server configurations - additional SQL queries into already existing queries that can be used to extract sensitive inf

Affected Products

Vendor: WordPress. Product: Infility Global (WordPress plugin).

Remediation

Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +38

POC: 0

CVE-2025-15268 vulnerability details – vuln.today

Back

CVE-2025-15268

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-15268

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code