Infility Infility Global CVE-2025-68865
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Infility Infility Global allows SQL Injection.This issue affects Infility Global: from n/a through 2.14.48.
AnalysisAI
Infility Global WordPress plugin (through 2.14.48) contains SQL injection with scope change, enabling unauthenticated database extraction beyond the plugin's own data. No patch available.
Technical ContextAI
User input is concatenated into SQL queries without parameterization (CWE-89). The scope change (S:C) means the injection can access data across the entire WordPress database, not just the plugin's tables.
Affected ProductsAI
Infility Global WordPress plugin through 2.14.48
RemediationAI
Remove the Infility Global plugin. No patch is available. Audit database for unauthorized access. Reset all user passwords.
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today