Introduction
Over 20,000 WordPress sites running the Newsletters plugin are exposed to unauthenticated database extraction through a time-based SQL injection vulnerability that requires nothing more than a crafted HTTP request. The flaw, tracked as CVE-2026-3018, marks the third SQL injection disclosure in this plugin's history and was patched alongside a separate authentication bypass, painting a concerning picture of the plugin's overall code quality.
The Newsletters plugin, developed by Tribulant Software, provides email marketing and newsletter management capabilities for WordPress sites. With 20,000+ active installations and a presence on the WordPress plugin repository since 2014, it serves a mid-market segment of site operators who need subscriber management and email campaign tools integrated directly into WordPress.
Technical Information
Root Cause
CVE-2026-3018 is classified under CWE-89 (Improper Neutralization of Special Elements used in an SQL Command). The vulnerability resides in the wpmlsubscriber_id parameter processed within the wp-mailinglist-plugin.php file, with the vulnerable code located around line 6040 in version 4.11.
The root cause involves two compounding deficiencies:
- Insufficient escaping on the user supplied
wpmlsubscriber_idparameter, meaning attacker controlled input was not sanitized before being incorporated into a database query. - Lack of parameterized query preparation, where the plugin constructed SQL statements through direct string concatenation rather than using WordPress's
$wpdb->prepare()method.
The vulnerable pattern followed a structure where user input from $_POST['subscriber_id'] was concatenated directly into a SQL string (e.g., $query = "SELECT ... WHERE id = " . $var), allowing an attacker to inject arbitrary SQL fragments that the database engine would execute as part of the legitimate query.
CVSS Breakdown
The CVSS v3.1 vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N scores 7.5 (High) and breaks down as follows:
| Metric | Value | Significance |
|---|---|---|
| Attack Vector | Network | Remotely exploitable over the internet |
| Attack Complexity | Low | No specialized conditions required |
| Privileges Required | None | No authentication needed |
| User Interaction | None | No victim action required |
| Scope | Unchanged | Impact confined to vulnerable component |
| Confidentiality | High | Full database contents extractable |
| Integrity | None | No direct data modification |
| Availability | None | No direct denial of service |
Attack Flow
This is a time-based blind SQL injection. The exploitation sequence works as follows:
-
The attacker identifies a WordPress site running the Newsletters plugin at version 4.13 or earlier. Plugin detection is straightforward through standard WordPress enumeration techniques.
-
The attacker sends an HTTP request containing a crafted
wpmlsubscriber_idparameter value. The payload includes time delay SQL functions such asSLEEP()orBENCHMARK()in MySQL. -
Because the parameter value is concatenated directly into the SQL query without escaping or parameterization, the injected SQL fragment becomes part of the executed query.
-
By measuring the HTTP response time, the attacker can infer boolean conditions about the database contents. For example, if a
SLEEP(5)payload causes a 5 second delay, the attacker knows the injected condition evaluated to true. -
Through iterative requests, the attacker extracts data one bit or character at a time. This process is slower than in-band SQL injection but is fully automatable with tools like sqlmap.
-
The high confidentiality impact rating reflects that an attacker can systematically extract the entire WordPress database: user credentials, email addresses, subscriber data, site configuration, and any other stored information.
Because the vulnerability requires no authentication (PR:N), no user interaction (UI:N), and is reachable over the network (AV:N) with low complexity (AC:L), the barrier to exploitation is minimal. Automated scanning and exploitation at scale is entirely feasible.
The Fix in Changeset 3566485
The patch, committed on June 9, 2026 by developer mohsenr1, modified seven files. The critical fix in wp-mailinglist-plugin.php (13 diffs) replaced raw string concatenation with $wpdb->prepare() calls using typed placeholders such as %d for integer values. This approach separates SQL code from user data at the database driver level, preventing injected payloads from altering the query structure.
Notably, the same changeset also addressed CVE-2026-8978, an authentication bypass caused by the use of predictable md5($subscriber->id) tokens for cookie authentication. The fix replaced this with wp_generate_password(32, false) for cryptographically secure token generation and added an explicit guard rejecting predictable tokens. The co-occurrence of these two vulnerability classes in a single patch release indicates broader security deficiencies in the codebase.
Affected Systems and Versions
The following versions are affected:
- Newsletters plugin for WordPress: All versions up to and including 4.13
- Plugin slug:
newsletters-lite - Fixed in: Version 4.14 (released June 9, 2026)
Any WordPress site running the Newsletters plugin at version 4.13 or earlier is vulnerable regardless of WordPress core version or server configuration. The vulnerability is in the plugin's own PHP code and does not depend on any particular WordPress or MySQL version.
Vendor Security History
Tribulant Software's Newsletters plugin has a documented pattern of SQL injection vulnerabilities spanning nearly a decade:
| Date | Vulnerability | Affected Versions |
|---|---|---|
| June 2017 | Multiple security vulnerabilities (DefenseCode advisory) | 4.6.4.2 |
| March 2025 | SQL Injection (Patchstack disclosure) | 4.9.9.7 and earlier |
| June 2026 | Unauthenticated SQL Injection (CVE-2026-3018) | 4.13 and earlier |
| June 2026 | Authentication Bypass (CVE-2026-8978) | 4.13 and earlier |
The recurrence of SQL injection across versions 4.6.4.2, 4.9.9.7, and 4.13 suggests a systemic issue with how the plugin constructs database queries rather than isolated oversights. The fact that predictable md5() tokens were still in use for authentication in 2026 further indicates that modern security practices were not consistently applied during development.
The vulnerability was discovered and reported by researcher wesley (wcraft), with coordinated disclosure on June 9, 2026 and the NVD entry published on June 10, 2026.
References
- NVD Entry for CVE-2026-3018
- Wordfence Threat Intel Advisory: Newsletters <= 4.13 Unauthenticated SQL Injection
- Wordfence Vulnerability Detail Page
- Changeset 3566485 for newsletters-lite (Patch Diff)
- Vulnerable Code in wp-mailinglist-plugin.php (Version 4.11, Line 6040)
- Newsletters Plugin on WordPress.org
- Patchstack: Prior SQL Injection in Newsletters Plugin (Version 4.9.9.7)
- NVD Entry for CVE-2026-8978 (Related Authentication Bypass)
- Exploit-DB: WordPress Plugin Tribulant Newsletters 4.6.4.2 (2017 Advisory)
- Tribulant Software Website
- Tribulant Software WordPress.org Profile
- CISA Known Exploited Vulnerabilities Catalog



