What is the CVSS score of EUVD-2026-38416?

EUVD-2026-38416 has a CVSS 3.1 base score of 6.8 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N. EPSS exploitation probability: 0.2%.

Is there a public PoC exploit available for EUVD-2026-38416?

Yes, a public proof-of-concept exploit is available for EUVD-2026-38416. Prioritise patching immediately. EPSS: 0.2%.

Is there a patch available for EUVD-2026-38416?

Yes, a patch is available for EUVD-2026-38416. Update the affected software to the latest version immediately.

Infility Global EUVD-2026-38416

| CVE-2026-7842 MEDIUM

2026-06-23 WPScan

GHSA-jgxx-4fc8-ff8f

SQLi WordPress Information Disclosure Infility Global

6.8

CVSS 3.1 · Vendor: WPScan

Severity by source

Vendor (WPScan) PRIMARY

6.8 MEDIUM

AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

vuln.today AI

6.8 MEDIUM

PR:H confirmed by Editor+ requirement; S:C reflects database-wide read beyond plugin scope; no write or availability impact identified from description.

3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

4.0 AV:N/AC:L/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Jun 23, 2026 - 13:23 vuln.today

CVSS changed

Jun 23, 2026 - 13:22 NVD

6.8 (MEDIUM)

Patch available

Jun 23, 2026 - 08:16 EUVD

CVE Published

Jun 23, 2026 - 06:00 cve.org

MEDIUM 6.8

CVE Published

Jun 23, 2026 - 06:00 cve.org

UNKNOWN (no severity yet)

DescriptionCVE.org

The Infility Global Infility Global WordPress plugin before 2.15.20 for WordPress does not sanitize or validate the orderby and order parameters in the import_list(), url_detail(), and file_detail() admin page callbacks before using them in SQL queries, allowing authenticated attackers with Editor-level access or higher to perform time-based blind SQL injection and extract sensitive data from the database. The ImportData module must be enabled via the Infility Global WordPress plugin before 2.15.20's module toggle page.

AnalysisAI

Time-based blind SQL injection in the Infility Global WordPress plugin (versions before 2.15.20) enables authenticated attackers holding Editor-level access or higher to extract arbitrary data from the WordPress database. The unsanitized orderby and order parameters in three admin callbacks - import_list(), url_detail(), and file_detail() - are passed directly into SQL queries without validation or parameterization. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain or compromise Editor-level WordPress credentials

Delivery

Confirm ImportData module is enabled on target site

Exploit

Send crafted HTTP request to affected admin callback with malicious orderby payload

Execution

Trigger time-delayed SQL execution in database backend

Persist

Measure response latency to infer data values

Impact

Iteratively extract full database contents

Access

Obtain or compromise Editor-level WordPress credentials

Delivery

Confirm ImportData module is enabled on target site

Exploit

Send crafted HTTP request to affected admin callback with malicious orderby payload

Execution

Trigger time-delayed SQL execution in database backend

Persist

Measure response latency to infer data values

Impact

Iteratively extract full database contents

Vulnerability AssessmentAI

Exploitation	Two specific conditions must both be met for exploitation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 base score of 6.8 with vector AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N reflects a network-exploitable, low-complexity injection requiring high privileges (Editor+). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has compromised or socially engineered an Editor-level WordPress account on a site running a vulnerable Infility Global version with the ImportData module enabled sends a crafted HTTP POST to one of the affected admin callbacks with a malicious `orderby` value containing a time-based SQL expression (e.g., `IF(1=1,SLEEP(5),0)`). By measuring server response latency across repeated requests, the attacker iteratively extracts data bit-by-bit from WordPress tables - including `wp_users` password hashes, email addresses, and stored API keys. …
Remediation	Upgrade the Infility Global WordPress plugin to version 2.15.20 or later, which contains the vendor-released patch resolving the unsanitized ORDER BY injection. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8163 HIGH This Week POC

8.8 Jun 23

SQL injection in the Infility Global WordPress plugin before 2.15.19 allows authenticated users with Subscriber-level ac

EUVD-2026-38416 vulnerability details – vuln.today

Back

Infility Global EUVD-2026-38416

Severity by source

CVSS VectorVendor: WPScan

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

More from same product – last 7 days

Share

External POC / Exploit Code