Infility Global CVE-2025-68864
HIGHSeverity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Lifecycle Timeline
4DescriptionCVE.org
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Stored XSS.This issue affects Infility Global: from n/a through <= 2.14.50.
AnalysisAI
Stored cross-site scripting in Infility Global WordPress plugin through version 2.14.50 allows remote attackers to inject malicious scripts that execute in victim browsers. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) indicates unauthenticated attackers can exploit this remotely with low complexity, requiring only victim interaction. EPSS score of 0.04% (12th percentile) suggests low probability of mass exploitation. Patchstack vulnerability database confirms this as a stored XSS vulnerability, meaning injected scripts persist and affect multiple users who view the compromised content.
Technical ContextAI
This vulnerability stems from improper input neutralization during web page generation (CWE-79), the most common web application security weakness. Infility Global is a WordPress plugin, and like many WordPress components, it likely accepts user-supplied input (form fields, comments, settings) without adequate sanitization or output encoding. Stored XSS differs from reflected XSS in that the malicious payload is permanently stored on the server (database, file system, or cache) and served to users upon page load. The changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the plugin's own security boundary, potentially compromising WordPress admin sessions or other site functionality. The plugin's version numbering suggests active development, with the vulnerability affecting all versions through 2.14.50, implying a longstanding code flaw rather than a recent regression.
Affected ProductsAI
Infility Global WordPress plugin versions from earliest available through version 2.14.50 are confirmed vulnerable per Patchstack database. The plugin is developed by Infility and distributed through WordPress.org or direct vendor channels. The CVE description uses 'n/a through <= 2.14.50' notation, indicating the vulnerability exists in all known versions up to and including 2.14.50, suggesting this is a design flaw or longstanding implementation issue rather than a recent introduction. Site administrators should verify their installed version via WordPress admin dashboard under Plugins section. The Patchstack reference specifically identifies this as affecting the WordPress ecosystem, meaning exploitation requires an active WordPress installation with this plugin enabled.
RemediationAI
Update Infility Global plugin to version 2.14.51 or later if available, checking the WordPress plugin repository or vendor site for the latest secure release. The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/infility-global/vulnerability/wordpress-infility-global-plugin-2-14-49-cross-site-scripting-xss-vulnerability should be consulted for vendor-confirmed fix version, though no specific patched version is confirmed in the provided data. If no patch is released, implement compensating controls: disable the plugin entirely if not business-critical, restrict plugin configuration access to trusted administrators only (WordPress capability management), deploy Web Application Firewall rules to filter script tags in plugin input fields (may break legitimate functionality requiring HTML input), implement strict Content Security Policy headers to prevent inline script execution (will block all inline scripts site-wide unless carefully tuned), and sanitize all user-generated content before rendering (requires code modification). Monitor WordPress and plugin logs for suspicious input patterns containing <script>, onerror, onclick, or encoded variations. Each mitigation trades functionality or administrative overhead for security-CSP in particular requires extensive testing to avoid breaking site features.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today