Infility Global < 2.15.20 - Editor+ SQL Injection via orderby Parameter
Description
The Infility Global Infility Global WordPress plugin before 2.15.20 for WordPress does not sanitize or validate the orderby and order parameters in the import_list(), url_detail(), and file_detail() admin page callbacks before using them in SQL queries, allowing authenticated attackers with Editor-level access or higher to perform time-based blind SQL injection and extract sensitive data from the database. The ImportData module must be enabled via the Infility Global WordPress plugin before 2.15.20's module toggle page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1- Range: <2.15.20
Patches
Vulnerability mechanics
Root cause
"Missing sanitization and validation of the orderby and order parameters in SQL queries allows time-based blind SQL injection."
Attack vector
An authenticated attacker with at least Editor-level privileges accesses the admin pages that invoke the `import_list()`, `url_detail()`, or `file_detail()` callbacks while the ImportData module is enabled. The plugin fails to sanitize or validate the `orderby` and `order` parameters before embedding them into SQL queries, allowing the attacker to inject malicious SQL fragments. By observing time delays in the response, the attacker can perform time-based blind SQL injection to extract sensitive data from the database. [ref_id=1]
What the fix does
The advisory states that the fix is included in version 2.15.20 of the Infility Global plugin. Although the patch diff is not provided in the bundle, the remediation must involve proper sanitization or validation of the `orderby` and `order` parameters before they are used in SQL queries, likely by whitelisting allowed column names and sort directions or by using prepared statements. This prevents attackers from injecting arbitrary SQL fragments through these parameters. [ref_id=1]
Preconditions
- configThe ImportData module must be enabled via the plugin's module toggle page.
- authAttacker must be authenticated with at least Editor-level access.
- networkAttacker must be able to reach the admin page callbacks import_list(), url_detail(), or file_detail().
Generated on Jun 23, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- wpscan.com/vulnerability/210303c4-0964-4a01-ac8e-13d7c7f424a2/mitreexploitvdb-entrytechnical-description
News mentions
0No linked articles in our index yet.