ZeroPath at Black Hat USA 2026

Creative Mail WordPress Plugin CVE-2026-3985: Brief Summary of Unauthenticated SQL Injection via checkout_uuid

A brief summary of CVE-2026-3985, a high severity unauthenticated SQL injection vulnerability in the Creative Mail plugin for WordPress affecting all versions up to and including 1.6.9. The flaw allows remote attackers to extract sensitive database information without authentication.

CVE Analysis

5 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-19

Creative Mail WordPress Plugin CVE-2026-3985: Brief Summary of Unauthenticated SQL Injection via checkout_uuid
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An unauthenticated SQL injection in the Creative Mail plugin for WordPress allows remote attackers to extract sensitive information directly from the database, with no login required and no user interaction necessary. Given that this plugin is purpose built for WooCommerce integration, affected sites are likely to hold customer PII, order data, and payment metadata, making the confidentiality impact particularly meaningful.

Creative Mail is an email marketing plugin developed by Constant Contact, designed from the ground up as a WordPress first marketing service. It integrates deeply with both Jetpack and WooCommerce, targeting ecommerce operators who need streamlined email campaign management. The plugin's presence on commerce oriented sites means the databases it touches routinely contain high value customer and transactional data.

Technical Information

CVE-2026-3985 is classified under CWE-89: Improper Neutralization of Special Elements used in an SQL Command. The CVSS 3.1 score is 7.5 with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, reflecting network accessibility, low attack complexity, no privilege requirements, no user interaction, and high confidentiality impact with no direct integrity or availability impact.

Root Cause

The vulnerability resides in the has_checkout_consent() method within the plugin's CheckoutManager.php file. This method accepts a checkout_uuid parameter from user input and passes it into a SQL query without sufficient escaping and without using WordPress's $wpdb->prepare() function or any equivalent parameterized query mechanism. The vulnerable code paths are traceable through two files in the 1.6.9 release:

  1. CheckoutManager.php at line 100, where the checkout_uuid value is received
  2. DatabaseManager.php at line 298, where the unsanitized value is incorporated into the SQL query

Because the checkout_uuid value is concatenated or interpolated directly into the query string rather than being bound as a parameter, an attacker can inject arbitrary SQL fragments.

Attack Flow

The exploitation path for this vulnerability follows a straightforward pattern:

  1. An attacker identifies a WordPress site running the Creative Mail plugin at version 1.6.9 or earlier. Plugin detection is trivial using standard WordPress fingerprinting techniques.
  2. The attacker crafts a request that supplies a malicious checkout_uuid value. This parameter is accessible without any authentication, meaning no WordPress account or session is needed.
  3. The malicious checkout_uuid value contains appended SQL statements. Because the has_checkout_consent() method does not properly escape or parameterize this input, the injected SQL is executed as part of the existing query.
  4. Through techniques such as UNION based injection, blind boolean based injection, or time based blind injection, the attacker extracts data from the WordPress database. This can include user credentials, customer records, WooCommerce order details, and any other information stored in the database.

The entire attack is network exploitable with low complexity. No special conditions, elevated privileges, or victim interaction are required. This profile makes the vulnerability highly susceptible to automated scanning and mass exploitation.

Confirmed Technical Parameters

SourceAffected VersionsVulnerable ParameterVulnerable MethodCVSS Score
Wordfence AdvisoryUp to 1.6.9checkout_uuidhas_checkout_consent()7.5 High
CVE Record0 through 1.6.9checkout_uuidhas_checkout_consent()7.5 High

Affected Systems and Versions

All versions of the Creative Mail (Easier WordPress and WooCommerce Email Marketing) plugin from version 0 through version 1.6.9 inclusive are affected. The plugin is identified by its WordPress slug creative-mail-by-constant-contact.

Any WordPress installation running one of these versions is vulnerable regardless of configuration, as the vulnerable code path is reachable by unauthenticated users. Sites with WooCommerce active alongside this plugin face elevated data exposure risk due to the nature of the stored data.

As of May 14, 2026, the plugin has been closed on the WordPress plugin repository and is no longer available for new downloads. This closure is marked as temporary pending a full review. No patched version has been released.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization