CVE-2026-3018
Description
WordPress Newsletters plugin vulnerable to time-based SQL Injection via wpmlsubscriber_id parameter, allowing unauthenticated attackers to extract sensitive data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
WordPress Newsletters plugin vulnerable to time-based SQL Injection via wpmlsubscriber_id parameter, allowing unauthenticated attackers to extract sensitive data.
Vulnerability
The Newsletters plugin for WordPress, in all versions up to and including 4.13, suffers from a time-based SQL Injection vulnerability. This is due to insufficient escaping of the wpmlsubscriber_id parameter and inadequate preparation of the SQL query, allowing for the injection of additional SQL commands.
Exploitation
An unauthenticated attacker can exploit this vulnerability by sending a specially crafted request containing malicious input in the wpmlsubscriber_id parameter. This allows the attacker to append SQL queries to an existing one, potentially leading to data exfiltration.
Impact
Successful exploitation allows an unauthenticated attacker to extract sensitive information from the WordPress database. The exact scope of data disclosure depends on the crafted SQL queries.
Mitigation
There is no specific mitigation or patched version information available in the provided references. Users are advised to monitor the plugin for updates or consider alternative solutions if a patch is not released promptly.
AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=4.13
- Range: <=4.13
Patches
1r3566485Vulnerability mechanics
No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.
References
3News mentions
0No linked articles in our index yet.