The Infility Global WordPress plugin versions prior to 2.15.19 contain a SQL Injection vulnerability (CWE-89) due to improper sanitization and escaping of some input parameters used in SQL queries. This flaw allows authenticated users with Subscriber-level privileges or above to inject malicious SQL code, potentially compromising the database integrity or confidentiality. No CVSS score or detailed vendor remediation information is currently available.

An attacker with at least Subscriber-level access can exploit this vulnerability to perform SQL Injection attacks, which may lead to unauthorized data access, data modification, or other database-related impacts depending on the application's database permissions and structure. The exact impact depends on the database and environment but could be significant given the nature of SQL Injection.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict user privileges where possible and monitor for suspicious activity related to SQL queries involving the plugin. Avoid granting Subscriber-level or higher access to untrusted users.