CVE-2026-7618
Description
The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The EnvíaloSimple plugin for WordPress up to 2.4.5 has a time-based blind SQL injection in the 'orderby' parameter, exploitable by authenticated admins to extract sensitive data.
Vulnerability
The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress suffers from a time-based blind SQL injection vulnerability in the orderby parameter. The plugin fails to properly escape user input and lacks sufficient preparation on the SQL query, allowing attackers to inject malicious SQL. This affects all versions up to and including 2.4.5. The vulnerable endpoint is exposed via REST API routes as shown in the plugin's contactform7.php file [1][2].
Exploitation
An attacker must have administrator-level access to the WordPress site. By sending a crafted REST API request with a malicious orderby parameter, SQL commands are appended to the existing query. Due to insufficient escaping, the injection is time-based blind, requiring the attacker to observe response delays to extract data. No user interaction is required beyond the attacker's own admin session.
Impact
Successful exploitation allows the attacker to extract sensitive information from the WordPress database, such as user credentials, email addresses, and other data. The attack is limited to data disclosure (confidentiality impact) and does not enable file modification or remote code execution. The attacker retains the admin privilege level but can exfiltrate data from the entire database.
Mitigation
As of the publication date, no fix has been released for versions up to 2.4.5. Affected users should restrict access to admin-level accounts, monitor for suspicious REST API activity, and consider disabling the plugin until an update is available. The CVE is not listed in the Known Exploited Vulnerabilities catalog.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: <=2.4.5
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
7- plugins.trac.wordpress.org/browser/envialosimple-email-marketing-y-newsletters-gratis/tags/2.4.5/api/contactform7.phpnvd
- plugins.trac.wordpress.org/browser/envialosimple-email-marketing-y-newsletters-gratis/tags/2.4.5/api/contactform7.phpnvd
- plugins.trac.wordpress.org/browser/envialosimple-email-marketing-y-newsletters-gratis/tags/2.4.5/api/index.phpnvd
- plugins.trac.wordpress.org/browser/envialosimple-email-marketing-y-newsletters-gratis/trunk/api/contactform7.phpnvd
- plugins.trac.wordpress.org/browser/envialosimple-email-marketing-y-newsletters-gratis/trunk/api/contactform7.phpnvd
- plugins.trac.wordpress.org/browser/envialosimple-email-marketing-y-newsletters-gratis/trunk/api/index.phpnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/a7aa2246-aee9-4992-b030-97e78e3b7d22nvd
News mentions
0No linked articles in our index yet.