Skip to main content

Infility Global CVE-2025-68864

HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-01-22 audit@patchstack.com
7.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Analysis Updated
Apr 28, 2026 - 13:30 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Apr 23, 2026 - 15:43 vuln.today
cvss_changed
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 22, 2026 - 17:16 nvd
HIGH 7.1

DescriptionCVE.org

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Infility Infility Global infility-global allows Stored XSS.This issue affects Infility Global: from n/a through <= 2.14.50.

AnalysisAI

Stored cross-site scripting in Infility Global WordPress plugin through version 2.14.50 allows remote attackers to inject malicious scripts that execute in victim browsers. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) indicates unauthenticated attackers can exploit this remotely with low complexity, requiring only victim interaction. EPSS score of 0.04% (12th percentile) suggests low probability of mass exploitation. Patchstack vulnerability database confirms this as a stored XSS vulnerability, meaning injected scripts persist and affect multiple users who view the compromised content.

Technical ContextAI

This vulnerability stems from improper input neutralization during web page generation (CWE-79), the most common web application security weakness. Infility Global is a WordPress plugin, and like many WordPress components, it likely accepts user-supplied input (form fields, comments, settings) without adequate sanitization or output encoding. Stored XSS differs from reflected XSS in that the malicious payload is permanently stored on the server (database, file system, or cache) and served to users upon page load. The changed scope (S:C) in the CVSS vector indicates the vulnerability can affect resources beyond the plugin's own security boundary, potentially compromising WordPress admin sessions or other site functionality. The plugin's version numbering suggests active development, with the vulnerability affecting all versions through 2.14.50, implying a longstanding code flaw rather than a recent regression.

Affected ProductsAI

Infility Global WordPress plugin versions from earliest available through version 2.14.50 are confirmed vulnerable per Patchstack database. The plugin is developed by Infility and distributed through WordPress.org or direct vendor channels. The CVE description uses 'n/a through <= 2.14.50' notation, indicating the vulnerability exists in all known versions up to and including 2.14.50, suggesting this is a design flaw or longstanding implementation issue rather than a recent introduction. Site administrators should verify their installed version via WordPress admin dashboard under Plugins section. The Patchstack reference specifically identifies this as affecting the WordPress ecosystem, meaning exploitation requires an active WordPress installation with this plugin enabled.

RemediationAI

Update Infility Global plugin to version 2.14.51 or later if available, checking the WordPress plugin repository or vendor site for the latest secure release. The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/infility-global/vulnerability/wordpress-infility-global-plugin-2-14-49-cross-site-scripting-xss-vulnerability should be consulted for vendor-confirmed fix version, though no specific patched version is confirmed in the provided data. If no patch is released, implement compensating controls: disable the plugin entirely if not business-critical, restrict plugin configuration access to trusted administrators only (WordPress capability management), deploy Web Application Firewall rules to filter script tags in plugin input fields (may break legitimate functionality requiring HTML input), implement strict Content Security Policy headers to prevent inline script execution (will block all inline scripts site-wide unless carefully tuned), and sanitize all user-generated content before rendering (requires code modification). Monitor WordPress and plugin logs for suspicious input patterns containing <script>, onerror, onclick, or encoded variations. Each mitigation trades functionality or administrative overhead for security-CSP in particular requires extensive testing to avoid breaking site features.

Share

CVE-2025-68864 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy