ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-3018 Unauthenticated SQL Injection in WordPress Newsletters Plugin

A short review of CVE-2026-3018, an unauthenticated time-based SQL injection in the WordPress Newsletters plugin (versions 4.13 and earlier) that allows remote attackers to extract sensitive database contents without authentication.

CVE Analysis

8 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-06-10

Brief Summary: CVE-2026-3018 Unauthenticated SQL Injection in WordPress Newsletters Plugin
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

Over 20,000 WordPress sites running the Newsletters plugin are exposed to unauthenticated database extraction through a time-based SQL injection vulnerability that requires nothing more than a crafted HTTP request. The flaw, tracked as CVE-2026-3018, marks the third SQL injection disclosure in this plugin's history and was patched alongside a separate authentication bypass, painting a concerning picture of the plugin's overall code quality.

The Newsletters plugin, developed by Tribulant Software, provides email marketing and newsletter management capabilities for WordPress sites. With 20,000+ active installations and a presence on the WordPress plugin repository since 2014, it serves a mid-market segment of site operators who need subscriber management and email campaign tools integrated directly into WordPress.

Technical Information

Root Cause

CVE-2026-3018 is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The vulnerability resides in the wpmlsubscriber_id parameter processed within the wp-mailinglist-plugin.php file, with the vulnerable code located around line 6040 in version 4.11.

The root cause involves two compounding deficiencies:

  1. Insufficient escaping on the user supplied wpmlsubscriber_id parameter, meaning attacker controlled input was not sanitized before being incorporated into a database query.
  2. Lack of parameterized query preparation, where the plugin constructed SQL statements through direct string concatenation rather than using WordPress's $wpdb->prepare() method.

The vulnerable pattern followed a structure where user input from $_POST['subscriber_id'] was concatenated directly into a SQL string (e.g., $query = "SELECT ... WHERE id = " . $var), allowing an attacker to inject arbitrary SQL fragments that the database engine would execute as part of the legitimate query.

CVSS Breakdown

The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N scores 7.5 (High) and breaks down as follows:

MetricValueSignificance
Attack VectorNetworkRemotely exploitable over the internet
Attack ComplexityLowNo specialized conditions required
Privileges RequiredNoneNo authentication needed
User InteractionNoneNo victim action required
ScopeUnchangedImpact confined to vulnerable component
ConfidentialityHighFull database contents extractable
IntegrityNoneNo direct data modification
AvailabilityNoneNo direct denial of service

Attack Flow

This is a time-based blind SQL injection. The exploitation sequence works as follows:

  1. The attacker identifies a WordPress site running the Newsletters plugin at version 4.13 or earlier. Plugin detection is straightforward through standard WordPress enumeration techniques.

  2. The attacker sends an HTTP request containing a crafted wpmlsubscriber_id parameter value. The payload includes time delay SQL functions such as SLEEP() or BENCHMARK() in MySQL.

  3. Because the parameter value is concatenated directly into the SQL query without escaping or parameterization, the injected SQL fragment becomes part of the executed query.

  4. By measuring the HTTP response time, the attacker can infer boolean conditions about the database contents. For example, if a SLEEP(5) payload causes a 5 second delay, the attacker knows the injected condition evaluated to true.

  5. Through iterative requests, the attacker extracts data one bit or character at a time. This process is slower than in-band SQL injection but is fully automatable with tools like sqlmap.

  6. The high confidentiality impact rating reflects that an attacker can systematically extract the entire WordPress database: user credentials, email addresses, subscriber data, site configuration, and any other stored information.

Because the vulnerability requires no authentication (PR:N), no user interaction (UI:N), and is reachable over the network (AV:N) with low complexity (AC:L), the barrier to exploitation is minimal. Automated scanning and exploitation at scale is entirely feasible.

The Fix in Changeset 3566485

The patch, committed on June 9, 2026 by developer mohsenr1, modified seven files. The critical fix in wp-mailinglist-plugin.php (13 diffs) replaced raw string concatenation with $wpdb->prepare() calls using typed placeholders such as %d for integer values. This approach separates SQL code from user data at the database driver level, preventing injected payloads from altering the query structure.

Notably, the same changeset also addressed CVE-2026-8978, an authentication bypass caused by the use of predictable md5($subscriber->id) tokens for cookie authentication. The fix replaced this with wp_generate_password(32, false) for cryptographically secure token generation and added an explicit guard rejecting predictable tokens. The co-occurrence of these two vulnerability classes in a single patch release indicates broader security deficiencies in the codebase.

Affected Systems and Versions

The following versions are affected:

  • Newsletters plugin for WordPress: All versions up to and including 4.13
  • Plugin slug: newsletters-lite
  • Fixed in: Version 4.14 (released June 9, 2026)

Any WordPress site running the Newsletters plugin at version 4.13 or earlier is vulnerable regardless of WordPress core version or server configuration. The vulnerability is in the plugin's own PHP code and does not depend on any particular WordPress or MySQL version.

Vendor Security History

Tribulant Software's Newsletters plugin has a documented pattern of SQL injection vulnerabilities spanning nearly a decade:

DateVulnerabilityAffected Versions
June 2017Multiple security vulnerabilities (DefenseCode advisory)4.6.4.2
March 2025SQL Injection (Patchstack disclosure)4.9.9.7 and earlier
June 2026Unauthenticated SQL Injection (CVE-2026-3018)4.13 and earlier
June 2026Authentication Bypass (CVE-2026-8978)4.13 and earlier

The recurrence of SQL injection across versions 4.6.4.2, 4.9.9.7, and 4.13 suggests a systemic issue with how the plugin constructs database queries rather than isolated oversights. The fact that predictable md5() tokens were still in use for authentication in 2026 further indicates that modern security practices were not consistently applied during development.

The vulnerability was discovered and reported by researcher wesley (wcraft), with coordinated disclosure on June 9, 2026 and the NVD entry published on June 10, 2026.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization