WordPress Plugin SQL Injection via Unsanitized Parameters

The Infility Global WordPress plugin before version 2.15.19 contains a SQL injection vulnerability stemming from improper sanitization and escaping of user-supplied parameters before their use in database queries. This vulnerability is exploitable by authenticated users at the Subscriber level and above, making it particularly dangerous in multi-user WordPress environments where contributor access is commonly granted. WordPress plugins are among the most targeted attack vectors in web applications, and SQL injection remains a critical vulnerability class that can lead to complete database compromise, data exfiltration, privilege escalation, and lateral movement within affected systems.

While this specific CVE currently lacks mapped MITRE ATT&CK techniques and Casky skills in the platform's 754-skill taxonomy, security practitioners using Casky's Claude AI-powered extended reasoning capabilities would detect attack patterns associated with SQL injection through behavioral analysis of database query anomalies and input validation failures. Detection would focus on identifying T1190 (Exploit Public-Facing Application) patterns as attackers attempt parameter manipulation, combined with T1557 (Man-in-the-Middle) reconnaissance of plugin versions and T1565 (Data Manipulation) techniques targeting database integrity. Practitioners would observe suspicious SQL syntax fragments in request logs, unusual database error messages, and authentication bypass attempts—indicators that Casky's reasoning engine would correlate against known exploitation patterns to surface this vulnerability in their security posture assessments.