CVE-2026-8978

Vulnerability

The OptinCraft – Drag & Drop Optins & Popup Builder for WordPress plugin is vulnerable to SQL Injection in all versions up to and including 1.2.0. This vulnerability exists due to insufficient escaping and preparation of the order_by parameter within the SQL query, specifically in CampaignRepository.php [3] which is called by CampaignController.php [2]. The code responsible for compiling SQL queries can be found in Compiler.php [1].

Exploitation

An attacker with administrator-level access or higher can exploit this vulnerability. The attacker needs to send a crafted request to the plugin's API, manipulating the order_by parameter to inject additional SQL commands. This can be done through the plugin's administrative interface or via API calls that are processed by the index method in CampaignController.php [2].

Impact

Successful exploitation allows an authenticated attacker to append malicious SQL queries to existing ones. This can lead to the extraction of sensitive information from the WordPress database, compromising data integrity and confidentiality. The scope of the compromise is limited to the data accessible by the database user the WordPress application is configured to use.

Mitigation

The vulnerability is fixed in versions after 1.2.0. Users are advised to update the OptinCraft plugin to the latest available version. No workarounds are disclosed in the available references. The plugin is not listed on the CISA KEV catalog.