What is the CVSS score of EUVD-2026-38417?

EUVD-2026-38417 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.2%.

Which versions of Infility Global are affected by EUVD-2026-38417?

A vulnerability in the Infility Global WordPress plugin allows low-privilege user accounts to access and modify sensitive database information on affected websites.. A patch is available.

Is there a public PoC exploit available for EUVD-2026-38417?

Yes, a public proof-of-concept exploit is available for EUVD-2026-38417. Prioritise patching immediately. EPSS: 0.2%.

How to fix or mitigate EUVD-2026-38417?

Within 24 hours: Inventory all WordPress instances using Infility Global plugin and review user registration logs for suspicious subscriber accounts created recently. Within 7 days: Update Infility Global plugin to version 2.15.19 or later on all affected installations. Within 30 days: Audit database user permissions to enforce principle of least privilege and implement database query logging.

Infility Global EUVD-2026-38417

| CVE-2026-8163 HIGH

2026-06-23 WPScan

GHSA-2hm5-4cpf-66vx

SQLi WordPress Infility Global

8.8

CVSS 3.1 · Vendor: WPScan

Severity by source

Vendor (WPScan) PRIMARY

8.8 HIGH

AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

vuln.today AI

8.8 HIGH

Network-reachable WordPress endpoint, no user interaction, Subscriber account required so PR:L, and SQLi over the full WordPress database yields high C/I/A.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (WPScan).

CVSS VectorVendor: WPScan

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Jun 23, 2026 - 13:22 vuln.today

CVSS changed

Jun 23, 2026 - 13:22 NVD

8.8 (HIGH)

Patch available

Jun 23, 2026 - 08:16 EUVD

CVE Published

Jun 23, 2026 - 06:00 cve.org

HIGH 8.8

CVE Published

Jun 23, 2026 - 06:00 cve.org

UNKNOWN (no severity yet)

DescriptionCVE.org

The Infility Global WordPress plugin before 2.15.19 does not properly sanitize and escape some parameters before using them in SQL statements, leading to a SQL Injection vulnerability exploitable by authenticated users with Subscriber-level access and above.

AnalysisAI

SQL injection in the Infility Global WordPress plugin before 2.15.19 allows authenticated users with Subscriber-level access or higher to inject arbitrary SQL via unsanitized parameters. Publicly available exploit code exists (WPScan), and a vendor patch has been released, raising the practical risk on sites that allow open user registration. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify WordPress site running Infility Global

Delivery

Exploit

Authenticate to WordPress

Install

Send crafted request with SQL payload to vulnerable parameter

Exfiltrate wp_users hashes and secrets

Execute

Crack or forge admin session

Impact

Full site compromise

Recon

Identify WordPress site running Infility Global

Delivery

Exploit

Authenticate to WordPress

Install

Send crafted request with SQL payload to vulnerable parameter

Exfiltrate wp_users hashes and secrets

Execute

Crack or forge admin session

Impact

Full site compromise

Vulnerability AssessmentAI

Exploitation	Exploitation requires the Infility Global plugin to be installed and active at a version below 2.15.19 on the target WordPress site, and the attacker must hold a valid account at Subscriber role or above (PR:L in the CVSS vector). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, score 8.8) reflects network reachability, low complexity, low-privilege authentication, no user interaction, and full CIA impact - consistent with a database-extracting SQLi on an internet-facing CMS. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker registers a free Subscriber-level account on a target WordPress site running Infility Global below 2.15.19 (or uses any existing low-privilege credential), then sends a crafted HTTP request to the vulnerable plugin endpoint with SQL payloads injected into the unsanitized parameter. Using the publicly available WPScan exploit technique, the attacker extracts the wp_users table including password hashes and secret keys, then escalates by cracking the administrator hash or forging authentication cookies.
Remediation	Vendor-released patch: upgrade the Infility Global plugin to version 2.15.19 or later via the WordPress plugin updater, referencing the WPScan advisory at https://wpscan.com/vulnerability/e471516a-6f43-4a89-8486-7a638845e197/ for confirmation. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all WordPress instances using Infility Global plugin and review user registration logs for suspicious subscriber accounts created recently. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-7842 MEDIUM This Month POC

6.8 Jun 23

Time-based blind SQL injection in the Infility Global WordPress plugin (versions before 2.15.20) enables authenticated a

EUVD-2026-38417 vulnerability details – vuln.today

Back

Infility Global EUVD-2026-38417

Severity by source

CVSS VectorVendor: WPScan

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code