Description
The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpmlsubscriber_id’ parameter in all versions up to, and including, 4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-06-10
Score: 7.5 High
EPSS: 1.4% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Newsletters plugin for WordPress contains a time‑based SQL injection flaw in the wpmlsubscriber_id parameter in all releases up to and including version 4.13. The parameter value is insufficiently escaped and the surrounding SQL query is not prepared, allowing an attacker to append arbitrary SQL statements. This weakness can be used to read sensitive information from the WordPress database, including user credentials, configuration data, and other confidential content. The flaw is a classic instance of injection, represented by CWE‑89.

Affected Systems

Any WordPress installation running the contrid Newsletters plugin with a version of 4.13 or earlier is affected. No other product versions are known to be vulnerable and versions newer than 4.13 are presumed fixed.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity. The EPSS score is 1 %, showing a low probability of exploitation, yet the absence of an authentication requirement makes the vulnerability accessible to unauthenticated attackers. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote network via HTTP requests that supply a crafted wpmlsubscriber_id value; this inference is derived from the description that the parameter is exposed to unauthenticated traffic.

Generated by OpenCVE AI on June 18, 2026 at 07:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Newsletters plugin to a release newer than 4.13, such as version 4.14, which removes the vulnerable parameter handling.
  • If an immediate upgrade is not possible, restrict network or application access to URLs that accept ensuring that only authenticated users can reach them.
  • Deploy a web application firewall or enforce strict input validation to block malformed wpmlsubscriber_id values that could be used to inject SQL code.

Generated by OpenCVE AI on June 18, 2026 at 07:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 10 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Contrid
Contrid newsletters
Wordpress
Wordpress wordpress
Vendors & Products Contrid
Contrid newsletters
Wordpress
Wordpress wordpress

Wed, 10 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpmlsubscriber_id’ parameter in all versions up to, and including, 4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Newsletters <= 4.13 - Unauthenticated SQL Injection via wpmlsubscriber_id Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Contrid Newsletters
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-10T12:46:38.254Z

Reserved: 2026-02-23T11:03:25.560Z

Link: CVE-2026-3018

cve-icon Vulnrichment

Updated: 2026-06-10T12:46:32.172Z

cve-icon NVD

Status : Deferred

Published: 2026-06-10T10:16:31.713

Modified: 2026-06-10T18:35:12.690

Link: CVE-2026-3018

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T07:30:05Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')