Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stefano Lissa Newsletter newsletter allows Blind SQL Injection.This issue affects Newsletter: from n/a through <= 9.0.9.
Published: 2025-12-16
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: Blind SQL injection
Action: Update plugin
AI Analysis

Impact

The Newsletter plugin for WordPress, developed by Stefano Lissa, has an improper handling of user-supplied input in SQL statements, classified as CWE-89. This flaw allows blind SQL injection, meaning an attacker could insert arbitrary SQL code that may enable reading, modifying, or deleting data from the WordPress database.

Affected Systems

All versions of the Newsletter plugin up to and including version 9.0.9 are affected. Any WordPress installation that has installed one of these versions is vulnerable.

Risk and Exploitability

The CVSS score of 7.6 indicates high severity, while the EPSS score of less than 1 % shows that exploitation is possible but not widespread. The vulnerability is not listed in the CISA KEV catalog. Attackers can potentially exploit it by sending crafted requests to the plugin’s endpoints that accept user input, taking advantage of the lack of sanitization. The injection is blind, so attackers might infer data through timing or error-based responses. The likely attack vector is through HTTP requests handled by the plugin.

Generated by OpenCVE AI on April 28, 2026 at 10:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Newsletter plugin to the latest available version to remove the SQL injection flaw.
  • If an update cannot be performed immediately, restrict public-facing inputs and administrative access to the plugin to limit opportunities for injection.
  • Apply request filtering or a web application firewall to block suspicious SQL characters and monitor for repeated injection attempts.

Generated by OpenCVE AI on April 28, 2026 at 10:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N'}

 cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Wed, 17 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Stefanno Lissa
Stefanno Lissa newsletter
Wordpress
Wordpress wordpress
Vendors & Products Stefanno Lissa
Stefanno Lissa newsletter
Wordpress
Wordpress wordpress

Tue, 16 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Stefano Lissa Newsletter newsletter allows Blind SQL Injection.This issue affects Newsletter: from n/a through <= 9.0.9.
Title WordPress Newsletter plugin <= 9.0.9 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Stefanno Lissa Newsletter
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:25.635Z

Reserved: 2025-12-15T10:00:49.129Z

Link: CVE-2025-67999

cve-icon Vulnrichment

Updated: 2025-12-17T20:10:22.179Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T09:16:00.800

Modified: 2026-04-27T18:16:53.040

Link: CVE-2025-67999

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:15:28Z

Weaknesses