Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in seballero Emailing Subscription email-suscripcion allows Blind SQL Injection.This issue affects Emailing Subscription: from n/a through <= 1.4.1.
Published: 2025-01-09
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Accepting unsanitized user input during email subscription creates a blind SQL injection vector. An attacker can send crafted requests that the plugin forwards directly to the database without proper neutralization, allowing read and potentially modify operations on the underlying data store. This flaw does not require elevated privileges and could result in confidential post or user data disclosure, or in some contexts, database corruption or complete takeover of the site content. The vulnerability is a classic example of CWE-89.

Affected Systems

The flaw is present in the seballero Emailing Subscription WordPress plugin version 1.4.1 and earlier. Administrators should confirm whether the site is running any of these affected releases.

Risk and Exploitability

The CVSS score of 9.3 classifies this as a high‑severity vulnerability, while the EPSS score of less than 1% indicates a low probability of exploitation at the time of analysis. The vulnerability is not listed in CISA’s KEV catalog. Exploitation can be performed remotely by sending crafted HTTP requests to the plugin’s subscription endpoint, provided the plugin is enabled and the site is publicly reachable. No special network conditions are required beyond normal web traffic.

Generated by OpenCVE AI on May 2, 2026 at 06:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Emailing Subscription plugin to the latest version (>=1.4.2) released by the vendor.
  • If an update is not feasible, remove or permanently disable the plugin to prevent abuse.
  • Apply strict input validation or sanitization on any form fields that feed into SQL queries to eliminate similar injection opportunities.

Generated by OpenCVE AI on May 2, 2026 at 06:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-2818 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Sebastian Orellana Emailing Subscription allows Blind SQL Injection.This issue affects Emailing Subscription: from n/a through 1.4.1.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Sebastian Orellana Emailing Subscription allows Blind SQL Injection.This issue affects Emailing Subscription: from n/a through 1.4.1. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in seballero Emailing Subscription email-suscripcion allows Blind SQL Injection.This issue affects Emailing Subscription: from n/a through <= 1.4.1.
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Fri, 10 Jan 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 09 Jan 2025 15:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Sebastian Orellana Emailing Subscription allows Blind SQL Injection.This issue affects Emailing Subscription: from n/a through 1.4.1.
Title WordPress Emailing Subscription Plugin <= 1.4.1 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 9.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:01.142Z

Reserved: 2025-01-07T10:23:07.227Z

Link: CVE-2025-22540

cve-icon Vulnrichment

Updated: 2025-01-10T20:22:44.093Z

cve-icon NVD

Status : Deferred

Published: 2025-01-09T16:16:28.503

Modified: 2026-06-17T08:48:07.050

Link: CVE-2025-22540

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T06:45:36Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')