{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/creative-mail--easier-wordpress--woocommerce-email-marketing-plugin--1.6.9/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-3985"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Creative Mail – Easier WordPress \u0026 WooCommerce Email Marketing plugin \u003c= 1.6.9"],"_cs_severities":["high"],"_cs_tags":["sqli","wordpress","plugin","cve-2026-3985","cloud"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe Creative Mail – Easier WordPress \u0026amp; WooCommerce Email Marketing plugin, a popular email marketing tool for WordPress, is vulnerable to SQL Injection. Specifically, versions up to and including 1.6.9 are susceptible. The vulnerability resides in the \u003ccode\u003ehas_checkout_consent()\u003c/code\u003e method, stemming from insufficient escaping of the user-supplied \u003ccode\u003echeckout_uuid\u003c/code\u003e parameter, compounded by a lack of sufficient preparation on the existing SQL query. This flaw enables unauthenticated attackers to inject malicious SQL queries, potentially leading to the extraction of sensitive data from the WordPress database. Successful exploitation could compromise user credentials, customer data, and other confidential information stored within the database.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site using the vulnerable Creative Mail plugin (version \u0026lt;= 1.6.9).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting an endpoint that utilizes the \u003ccode\u003ehas_checkout_consent()\u003c/code\u003e method.\u003c/li\u003e\n\u003cli\u003eThe malicious request includes a specifically crafted \u003ccode\u003echeckout_uuid\u003c/code\u003e parameter containing SQL injection payloads.\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003ehas_checkout_consent()\u003c/code\u003e method fails to properly sanitize the \u003ccode\u003echeckout_uuid\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe unsanitized \u003ccode\u003echeckout_uuid\u003c/code\u003e parameter is incorporated into an SQL query without proper preparation or escaping.\u003c/li\u003e\n\u003cli\u003eThe injected SQL code is executed against the WordPress database.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the injected SQL to extract sensitive information, such as user credentials or customer data.\u003c/li\u003e\n\u003cli\u003eThe attacker may use the extracted data for malicious purposes, including account takeover or data theft.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this SQL Injection vulnerability (CVE-2026-3985) can lead to the compromise of sensitive data stored in the WordPress database. This includes user credentials, customer information, and potentially other confidential data. The CVSS v3.1 base score for this vulnerability is 7.5, indicating a high level of severity. An attacker could gain unauthorized access to the WordPress site, potentially leading to further compromise and damage. The number of affected websites is unknown but could be significant, given the popularity of the Creative Mail plugin.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the Creative Mail – Easier WordPress \u0026amp; WooCommerce Email Marketing plugin to a version greater than 1.6.9 to patch CVE-2026-3985.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect CVE-2026-3985 Exploitation Attempt via Creative Mail Plugin\u0026rdquo; to your SIEM to identify potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing SQL injection payloads in the \u003ccode\u003echeckout_uuid\u003c/code\u003e parameter (see example in Sigma rule test cases).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-20T02:18:34Z","date_published":"2026-05-20T02:18:34Z","id":"https://feed.craftedsignal.io/briefs/2026-05-creative-mail-sqli/","summary":"The Creative Mail plugin for WordPress is vulnerable to SQL Injection due to insufficient escaping of the 'checkout_uuid' parameter and lack of sufficient preparation on the SQL query in the `has_checkout_consent()` method, allowing unauthenticated attackers to extract sensitive information from the database.","title":"Creative Mail WordPress Plugin Vulnerable to SQL Injection (CVE-2026-3985)","url":"https://feed.craftedsignal.io/briefs/2026-05-creative-mail-sqli/"}],"language":"en","title":"CraftedSignal Threat Feed — Creative Mail – Easier WordPress \u0026 WooCommerce Email Marketing Plugin \u003c= 1.6.9","version":"https://jsonfeed.org/version/1.1"}