Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nks Email Subscription Popup email-subscribe allows Blind SQL Injection.This issue affects Email Subscription Popup: from n/a through <= 1.2.23.
Published: 2025-01-24
Score: 7.6 High
EPSS: 31.1% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

WordPress sites that use the Nks Email Subscription Popup plugin up to version 1.2.23 suffer from a blind SQL injection flaw. The vulnerability stems from improper neutralization of SQL input, allowing attackers to embed malicious SQL commands. This exploit can read or alter data stored in the WordPress database, potentially compromising the confidentiality and integrity of site content.

Affected Systems

This vulnerability affects WordPress installations that have the Nks Email Subscription Popup plugin at version 1.2.23 or earlier. The plugin includes an email‑subscription component that accepts user input. Based on the description, it is inferred that the subscription interface is publicly reachable, permitting unauthenticated users to submit data that is processed by the plugin.

Risk and Exploitability

The CVSS score of 7.6 marks this flaw as high severity, while the EPSS score of 31% indicates a moderate likelihood of exploitation in the wild. It is not listed in CISA’s KEV catalog. The likely attack vector, inferred from the description, involves sending specially crafted input through the subscription form or related API endpoint to exploit the blind SQL injection and extract or modify database records.

Generated by OpenCVE AI on June 18, 2026 at 11:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Email Subscription Popup plugin to version 1.2.24 or later to eliminate the injection flaw
  • If an upgrade is not immediately possible, disable the plugin or remove its subscription endpoint to block further exploitation
  • Deploy a web application firewall rule that rejects SQL injection patterns on the plugin’s input fields
  • Continuously monitor database logs for abnormal query activity to detect attempts to exploit the vulnerability

Generated by OpenCVE AI on June 18, 2026 at 11:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in I Thirteen Web Solution Email Subscription Popup allows Blind SQL Injection. This issue affects Email Subscription Popup: from n/a through 1.2.23. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Nks Email Subscription Popup email-subscribe allows Blind SQL Injection.This issue affects Email Subscription Popup: from n/a through <= 1.2.23.
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 24 Jan 2025 17:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in I Thirteen Web Solution Email Subscription Popup allows Blind SQL Injection. This issue affects Email Subscription Popup: from n/a through 1.2.23.
Title WordPress Email Subscription Popup plugin <= 1.2.23 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-05-11T23:13:03.815Z

Reserved: 2025-01-23T14:50:49.323Z

Link: CVE-2025-24587

cve-icon Vulnrichment

Updated: 2025-02-12T20:36:17.081Z

cve-icon NVD

Status : Deferred

Published: 2025-01-24T18:15:35.697

Modified: 2026-06-17T08:59:16.407

Link: CVE-2025-24587

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T11:45:15Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')