The Infility Global WordPress plugin contains an unauthenticated SQL Injection vulnerability that allows any remote attacker to access and extract sensitive information from the database.

This is an unauthenticated SQL Injection vulnerability. The flaw exists in the 'infility_get_data' API action, which fails to properly sanitize user-supplied input before using it in a database query, allowing for arbitrary command execution.

Since the exploit requires no authentication, the entire internet can potentially access the underlying WordPress database. This could lead to the theft of PII, administrative credentials, and proprietary site data, justifying the CVSS score of 7.5 and the high-risk classification.

Immediate Action: Update the Infility Global plugin to the latest available version. If the plugin is not essential, uninstall it to eliminate the attack surface.

Proactive Monitoring: Audit WordPress access logs for suspicious requests to the 'infility_get_data' action, specifically looking for URL-encoded SQL syntax.

Compensating Controls: Utilize a WAF to block requests to the vulnerable API action that contain suspicious payloads or originate from known malicious IP addresses.

Public Exploit Available: false

This vulnerability represents a significant threat to data confidentiality. Administrators must prioritize updating the Infility Global plugin immediately to prevent unauthenticated attackers from dumping the site's database.