Skip to main content

Newsletters Plugin CVE-2026-3018

| EUVD-2026-35997 HIGH
SQL Injection (CWE-89)
2026-06-10 Wordfence GHSA-gfq4-fcqw-rmwq
SQLi WordPress
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 10, 2026 - 10:15 vuln.today
CVE Published
Jun 10, 2026 - 08:28 nvd
HIGH 7.5

DescriptionCVE.org

The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpmlsubscriber_id’ parameter in all versions up to, and including, 4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Articles & Coverage 1

News 5 New WordPress Vulnerabilities - 2 Critical, 3 With POC Jun 11, 2026

AnalysisAI

Unauthenticated time-based SQL injection in the Newsletters plugin for WordPress (versions up to and including 4.13) allows remote attackers to extract sensitive database contents via the 'wpmlsubscriber_id' parameter. The flaw stems from insufficient input escaping and lack of prepared statements, and no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site running Newsletters plugin
Delivery
Send crafted request with SQL payload in wpmlsubscriber_id
Exploit
Trigger time-based blind SQL injection
Execution
Measure response delays to infer data
Impact
Exfiltrate password hashes and subscriber PII from database
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires only that the target WordPress site has the Newsletters plugin (vendor contrid, also distributed as 'newsletters-lite') installed and activated at version 4.13 or earlier, with the endpoint that accepts the 'wpmlsubscriber_id' parameter reachable over the network - which is the default for subscriber management URLs. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) indicates a network-reachable, low-complexity, unauthenticated attack with high confidentiality impact but no integrity or availability impact - consistent with read-only data exfiltration via blind SQLi. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends crafted HTTP requests to a WordPress endpoint exposed by the Newsletters plugin, supplying a 'wpmlsubscriber_id' parameter containing time-delay SQL payloads (e.g., AND SLEEP(5)) and measuring response latency to infer database contents bit by bit. Using an automated tool such as sqlmap, the attacker progressively extracts the wp_users table to recover administrator password hashes and subscriber email addresses for downstream cracking, credential stuffing, or sale. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - the fix is visible in WordPress.org plugin changeset 3566485 (https://plugins.trac.wordpress.org/changeset/3566485/newsletters-lite), so administrators should upgrade the Newsletters plugin to the latest version published after that changeset (any release greater than 4.13) via the WordPress admin dashboard. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Conduct inventory of all WordPress instances running Newsletters plugin versions 4.13 or earlier; identify and document affected systems and their business criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-8935 CRITICAL POC
9.8 Jun 15

The WP MAPS PRO WordPress plugin before 6.1.1 registers an unauthenticated AJAX action which, given a valid nonce that i
CVE-2026-10795 HIGH POC
8.1 Jun 11

Remote code execution in UpdraftPlus: WP Backup & Migration Plugin for WordPress (versions ≤1.26.4) allows unauthenticat
CVE-2026-8089 HIGH POC
7.1 Jun 17

The weMail: Email Marketing, Email Automation, Newsletters, Subscribers & Email Optins for WooCommerce WordPress plugin

CVE-2026-9570 HIGH POC
7.1 Jun 17

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline

CVE-2026-52704 CRITICAL
10.0 Jun 15

Remote code execution in Edgar Rojas WooCommerce PDF Invoice Builder WordPress plugin (versions through 2.0.8) allows un

Share

CVE-2026-3018 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy