CVE-2026-7842— Infility Global < 2.15.20 - Editor+ SQL Injection via orderby Parameter
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-7842
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Infility Global < 2.15.20 - Editor+ SQL Injection via orderby Parameter
Source: NVD (National Vulnerability Database)
Vulnerability Description
The Infility Global Infility Global WordPress plugin before 2.15.20 for WordPress does not sanitize or validate the orderby and order parameters in the import_list(), url_detail(), and file_detail() admin page callbacks before using them in SQL queries, allowing authenticated attackers with Editor-level access or higher to perform time-based blind SQL injection and extract sensitive data from the database. The ImportData module must be enabled via the Infility Global WordPress plugin before 2.15.20's module toggle page.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
N/A
Source: NVD (National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| Unknown | Infility Global | 0 ~ 2.15.20 | - |
II. Public POCs for CVE-2026-7842
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-7842
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-7842 (1)
- 🔗 Infility Global < 2.15.20 – Editor+ SQL Injection via orderby Parameter | CVE 2026-7842 | Plugin Vulnerabilities Read full article exploitvdb-entrytechnical-description
Same Patch Batch · Unknown · 2026-06-23 · 5 CVEs total
| CVE-2026-8172 | Simple Basic Contact Form <= 20250114 - Reflected XSS | |
| CVE-2026-8163 | Infility Global < 2.15.19 - Subscriber+ SQL Injection via order Parameter | |
| CVE-2026-8378 | Frontend File Manager Plugin <= 23.6 - Subscriber+ Stored Cross-Site Scripting via File Re | |
| CVE-2026-8379 | Frontend File Manager Plugin <= 23.6 - Unauthenticated Arbitrary File Download |
IV. Related Vulnerabilities
Same product: Infility Global
- CVE-2026-8163
Infility Global < 2.15.19 - Subscriber+ SQL Injection via or - CVE-2026-8685
Infility Global <= 2.15.16 - Authenticated (Subscriber+) SQL - CVE-2025-15268
Infility Global <= 2.14.46 - Unauthenticated SQL Injection v - CVE-2025-68864
WordPress Infility Global plugin <= 2.15.11 - Cross Site Scr - CVE-2025-68865
WordPress Infility Global plugin <= 2.15.06 - SQL Injection
Same vendor: Unknown
- CVE-2026-10835
SALESmanago & Leadoo < 3.11.3 - Subscriber+ SQL Injection - CVE-2026-8380
Frontend File Manager Plugin <= 23.6 - Author+ Arbitrary Pos - CVE-2026-10823
YMC Smart Filter < 3.11.3 - Unauthenticated Private/Draft Po - CVE-2025-10268
Printcart Web to Print Product Designer for WooCommerce <= 2 - CVE-2026-9702
InPost PL < 1.9.1 - Unauthenticated WooCommerce Order Parcel
V. Comments for CVE-2026-7842
No comments yet