CVE-2026-3018: Newsletters Plugin SQL Injection Vulnerability
The Newsletters plugin for WordPress contains a time-based SQL injection flaw that allows unauthenticated attackers to manipulate database queries by injecting malicious SQL code through the 'wpmlsubscriber_id' parameter. Because the plugin fails to properly escape and prepare user input, attackers can extract sensitive data from the WordPress database without needing any credentials. All versions up to and including 4.13 are affected.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpmlsubscriber_id’ parameter in all versions up to, and including, 4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
3 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
This vulnerability is a classic SQL injection (CWE-89) stemming from insufficient input validation and lack of parameterized query preparation. The 'wpmlsubscriber_id' parameter is concatenated directly into SQL queries without proper escaping or prepared statement use. An attacker can inject time-based SQL payloads to infer database structure and content character-by-character through response time analysis. The unauthenticated nature of the attack vector significantly increases exploitability since no account access is required.
Business impact
Successful exploitation enables unauthorized extraction of sensitive data from the WordPress database, potentially including user credentials, subscriber information, email addresses, and other personally identifiable information (PII). For organizations relying on the Newsletters plugin for subscriber management, this represents a direct data breach risk with potential regulatory consequences under GDPR, CCPA, and similar privacy laws. Additionally, attackers may use extracted information for further social engineering or credential-based attacks.
Affected systems
The Newsletters plugin for WordPress in all versions up to and including 4.13 is vulnerable. Any WordPress installation using this plugin is at risk, regardless of additional security plugins or WAF rules, since the vulnerability exists at the application logic level. Self-hosted WordPress sites and managed WordPress hosting platforms are equally affected if the vulnerable plugin version is active.
Exploitability
The CVSS 3.1 score of 7.5 (HIGH) reflects the high exploitability of this flaw. Exploitation requires only network access and no authentication, making it trivial for unauthenticated attackers to craft malicious requests. Time-based SQL injection techniques are well-documented and tooling is publicly available. While response-time-based data exfiltration is slower than error-based injection, it is reliable and difficult to detect with basic monitoring. The lack of CISA KEV listing does not diminish the practical exploitability—it indicates active exploitation is not yet widespread in the wild, but the technical barrier to exploitation is low.
Remediation
Update the Newsletters plugin to a patched version released after 4.13. Verify the specific patched version number against the official WordPress plugin repository and the vendor's security advisory. In the interim, if an update is unavailable or delayed, consider disabling the plugin or restricting access to the affected endpoint via web application firewall rules targeting the 'wpmlsubscriber_id' parameter.
Patch guidance
Monitor the official WordPress Newsletters plugin repository for security updates. When a patched version is released, apply it immediately to all WordPress installations using this plugin. Test the update in a staging environment first to ensure compatibility with other active plugins and your site configuration. Because the vulnerability is unauthenticated and high-severity, prioritize this patching task above routine maintenance updates.
Detection guidance
Look for HTTP requests containing SQL injection syntax in the 'wpmlsubscriber_id' parameter, such as time-delay payloads (SLEEP, BENCHMARK, WAITFOR) or boolean-based logic (AND 1=1, OR 1=1). Monitor database query logs for unusual query patterns originating from the Newsletters plugin. Implement WAF rules to block requests with SQL keywords in this parameter. Enable WordPress logging and audit the database access logs for unexpected SELECT statements targeting sensitive tables like wp_users and wp_usermeta.
Why prioritize this
This vulnerability merits immediate attention because it combines high CVSS severity (7.5) with full unauthenticated exploitability and confidentiality impact on sensitive subscriber and user data. The lack of authentication requirement means any internet-facing WordPress site using the vulnerable plugin version is at active risk. Time-based SQL injection, while slower than error-based variants, remains reliably exploitable and difficult to prevent without patching. Organizations must prioritize patching this vulnerability before they become part of broader reconnaissance or data harvesting campaigns.
Risk score, explained
The CVSS 3.1 score of 7.5 reflects a HIGH severity due to the combination of: (1) network-based attack vector requiring no privileged access, (2) no user interaction required, (3) no scope change, and (4) high confidentiality impact. The lack of integrity or availability impact prevents a higher score, but the confidentiality risk alone—extraction of subscriber lists, PII, and potentially password hashes—justifies immediate remediation.
Frequently asked questions
Can this vulnerability be exploited if the Newsletters plugin is deactivated?
No. If the plugin is deactivated or removed, the vulnerable code path is not executed and the vulnerability cannot be exploited. However, simply deactivating is not the same as deletion—ensure the plugin files are removed from the WordPress installation.
Are WordPress security plugins and firewalls sufficient to protect against this vulnerability?
Standard WordPress security plugins and WAF rules may slow or block obvious SQL injection payloads, but they are not a reliable long-term defense against a known application vulnerability. Patching the plugin is the only permanent fix. WAF rules can serve as a temporary stop-gap while waiting for a patch.
If I extract data but don't modify it, am I at risk?
Yes. The vulnerability allows time-based SQL injection to exfiltrate data. Even though the attack is read-only (no integrity impact), extracting subscriber lists, email addresses, or user credentials constitutes a data breach and exposes your organization to legal, regulatory, and reputational harm.
Does this affect WordPress.com or only self-hosted WordPress?
This affects self-hosted WordPress installations using the vulnerable Newsletters plugin. WordPress.com managed hosting may have different plugin restrictions and update policies—contact your hosting provider for their plugin security practices.
This analysis is provided for informational and defensive security purposes. The vulnerability details and risk assessment are based on the CVE record and technical characteristics of SQL injection flaws. Verify all patch versions and compatibility against the official WordPress plugin repository and vendor security advisories before deployment. Organizations should test patches in a staging environment before production rollout. No exploit code or weaponized proof-of-concept is provided. All security decisions should be made in consultation with your security team and vendor guidance. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2016-20062HIGHSQL Injection in Simply Poll 1.4.1 WordPress Plugin - Unauthenticated Data Theft
- CVE-2016-20063HIGHSQL Injection in Single Personal Message 1.0.3 – Credential & Data Theft Risk
- CVE-2016-20065HIGHUnauthenticated SQL Injection in Product Catalog 8 WordPress Plugin
- CVE-2017-20243HIGHWordPress Car Park Booking Plugin SQL Injection Vulnerability
- CVE-2017-20244HIGHSQL Injection in Wow Forms WordPress Plugin v2.1 – Critical Unauth Database Extraction
- CVE-2017-20245HIGHWow Viral Signups Plugin SQL Injection Vulnerability – Analysis & Patches
- CVE-2017-20246HIGHKittyCatfish 2.2 SQL Injection Vulnerability – WordPress Plugin Security Alert
- CVE-2017-20247HIGHSQL Injection in PICA Photo Gallery 1.0