Introduction
An unauthenticated SQL injection in the Creative Mail plugin for WordPress allows remote attackers to extract sensitive information directly from the database, with no login required and no user interaction necessary. Given that this plugin is purpose built for WooCommerce integration, affected sites are likely to hold customer PII, order data, and payment metadata, making the confidentiality impact particularly meaningful.
Creative Mail is an email marketing plugin developed by Constant Contact, designed from the ground up as a WordPress first marketing service. It integrates deeply with both Jetpack and WooCommerce, targeting ecommerce operators who need streamlined email campaign management. The plugin's presence on commerce oriented sites means the databases it touches routinely contain high value customer and transactional data.
Technical Information
CVE-2026-3985 is classified under CWE-89: Improper Neutralization of Special Elements used in an SQL Command. The CVSS 3.1 score is 7.5 with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, reflecting network accessibility, low attack complexity, no privilege requirements, no user interaction, and high confidentiality impact with no direct integrity or availability impact.
Root Cause
The vulnerability resides in the has_checkout_consent() method within the plugin's CheckoutManager.php file. This method accepts a checkout_uuid parameter from user input and passes it into a SQL query without sufficient escaping and without using WordPress's $wpdb->prepare() function or any equivalent parameterized query mechanism. The vulnerable code paths are traceable through two files in the 1.6.9 release:
CheckoutManager.phpat line 100, where thecheckout_uuidvalue is receivedDatabaseManager.phpat line 298, where the unsanitized value is incorporated into the SQL query
Because the checkout_uuid value is concatenated or interpolated directly into the query string rather than being bound as a parameter, an attacker can inject arbitrary SQL fragments.
Attack Flow
The exploitation path for this vulnerability follows a straightforward pattern:
- An attacker identifies a WordPress site running the Creative Mail plugin at version 1.6.9 or earlier. Plugin detection is trivial using standard WordPress fingerprinting techniques.
- The attacker crafts a request that supplies a malicious
checkout_uuidvalue. This parameter is accessible without any authentication, meaning no WordPress account or session is needed. - The malicious
checkout_uuidvalue contains appended SQL statements. Because thehas_checkout_consent()method does not properly escape or parameterize this input, the injected SQL is executed as part of the existing query. - Through techniques such as UNION based injection, blind boolean based injection, or time based blind injection, the attacker extracts data from the WordPress database. This can include user credentials, customer records, WooCommerce order details, and any other information stored in the database.
The entire attack is network exploitable with low complexity. No special conditions, elevated privileges, or victim interaction are required. This profile makes the vulnerability highly susceptible to automated scanning and mass exploitation.
Confirmed Technical Parameters
| Source | Affected Versions | Vulnerable Parameter | Vulnerable Method | CVSS Score |
|---|---|---|---|---|
| Wordfence Advisory | Up to 1.6.9 | checkout_uuid | has_checkout_consent() | 7.5 High |
| CVE Record | 0 through 1.6.9 | checkout_uuid | has_checkout_consent() | 7.5 High |
Affected Systems and Versions
All versions of the Creative Mail (Easier WordPress and WooCommerce Email Marketing) plugin from version 0 through version 1.6.9 inclusive are affected. The plugin is identified by its WordPress slug creative-mail-by-constant-contact.
Any WordPress installation running one of these versions is vulnerable regardless of configuration, as the vulnerable code path is reachable by unauthenticated users. Sites with WooCommerce active alongside this plugin face elevated data exposure risk due to the nature of the stored data.
As of May 14, 2026, the plugin has been closed on the WordPress plugin repository and is no longer available for new downloads. This closure is marked as temporary pending a full review. No patched version has been released.
References
- Wordfence Threat Intelligence Advisory for CVE-2026-3985
- CVE Record: CVE-2026-3985
- Vulnerable Source: CheckoutManager.php (line 100, version 1.6.9)
- Vulnerable Source: DatabaseManager.php (line 298, version 1.6.9)
- Trunk Source: DatabaseManager.php (line 298)
- WordPress Plugin Page: Creative Mail by Constant Contact
- Jetpack: Introducing Creative Mail for Jetpack
- Constant Contact Official Site



