The Creative Mail – Easier WordPress & WooCommerce Email Marketing plugin contains a flaw in the has_checkout_consent() method where the checkout_uuid parameter is not properly escaped or prepared. This allows a malicious actor to insert arbitrary SQL into the query, leading to unauthenticated execution of SQL statements. The vulnerability falls under CWE-89 and can be leveraged to read, modify, or delete data stored in the WordPress database, potentially exposing sensitive user information. The impact is a loss of confidentiality, integrity, and availability of the site’s data.

Any WordPress site running the Creative Mail plugin version 1.6.9 or earlier is affected. The plugin is provided by constantcontact and is used to manage email marketing for WordPress and WooCommerce installations.

The CVSS score of 7.5 indicates a high severity level. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting no documented widespread exploitation at the time of this analysis. Attackers can reach the vulnerable endpoint without authentication by sending crafted requests that include a malicious checkout_uuid value. Once the injection succeeds, the attacker can extract or tamper with database contents, compromising the entire site. The absence of authentication controls and the ability to augment the query directly make exploitation straightforward for any party capable of sending HTTP requests.