Security Bulletin for 23 June 2026: SQL Injection in Infility Global and Two Still-Unpatched WordPress Plugin Flaws

This is our daily security overview, in which we review the newly published vulnerabilities and pick out the ones that genuinely matter for running WordPress websites, online shops and PHP applications. Every statement in this bulletin has been checked against its underlying primary source, which is linked at the end of each section. Three WordPress plugin vulnerabilities are relevant for 23 June 2026, of which only one has been fixed so far; the other two remain uncorrected at the time of this publication, which is why we additionally describe concrete interim measures here.

CVE-2026-8163 — SQL Injection in the Infility Global WordPress Plugin (high)

A SQL injection vulnerability has been discovered in all versions of the Infility Global WordPress plugin before 2.15.19, and it arises because several parameters passed through the application — the order parameter in particular — are not sufficiently sanitised and escaped before they are used in SQL statements. Because the flaw can already be exploited by authenticated users holding the low-privilege “Subscriber” role, on many sites an ordinary, often freely self-registered account is enough to inject manipulated database queries and, by this means, to read or alter confidential contents of the database. The National Vulnerability Database rates the vulnerability at a CVSS score of 8.8, which is high. Unlike the two flaws that follow, a fix is already available here, so operators should update the plugin to version 2.15.19 or newer without delay.

Sources: National Vulnerability Database — CVE-2026-8163 · WPScan advisory

CVE-2026-8379 — Unauthenticated File Download in the Frontend File Manager Plugin (high, no fix yet)

The widely used Frontend File Manager plugin, which lets visitors upload and download files through the front end of a WordPress site, fails to properly enforce the nonce intended to protect its download handler in all versions up to and including 23.6. As a result, unauthenticated attackers — that is, people without any account at all — can simply iterate through the internal identifiers of the uploaded files and thereby download documents that other users have uploaded and that were never meant to be publicly accessible. Since such uploads may, depending on how the site is used, contain personal data, contracts or other confidential records, this uncontrolled disclosure is particularly sensitive and also relevant under data-protection law. The National Vulnerability Database classifies the flaw at a CVSS score of 7.5, which is high, yet at the time of this publication, according to WPScan, no corrected version is available. Until an update is released, operators should deactivate the plugin when it is not strictly needed, restrict access to the affected endpoints and filter suspicious download requests through a web application firewall.

Sources: National Vulnerability Database — CVE-2026-8379 · WPScan advisory

CVE-2026-8172 — Reflected Cross-Site Scripting in the Simple Basic Contact Form Plugin (high, no fix yet)

The Simple Basic Contact Form plugin outputs the input submitted by the user back into the contact form on validation errors without escaping it first, in all versions up to and including release 20250114. This gives rise to a reflected cross-site scripting vulnerability through which an unauthenticated attacker can run malicious code in the browser of a site visitor as soon as that visitor follows a crafted link or triggers a manipulated form submission. Attacks of this kind can be used, among other things, to hijack sessions, to read along with what a user types or to redirect visitors unnoticed to fraudulent sites. The National Vulnerability Database rates the vulnerability at a CVSS score of 7.1, which is high, and in this case, too, no corrected version is currently available according to WPScan, so that until an update arrives, deactivating the plugin, restricting access and filtering suspicious requests through a web application firewall remain the most effective countermeasures.

Sources: National Vulnerability Database — CVE-2026-8172 · WPScan advisory

Not sure whether you’re affected? Get in touch.

---

This bulletin is provided for security awareness. The official notices from the respective vendors and the sources linked above always take precedence.