CVE-2026-3018 Overview
CVE-2026-3018 is a time-based SQL Injection [CWE-89] vulnerability in the Newsletters plugin for WordPress. The flaw affects all versions of the plugin up to and including 4.13. The vulnerability exists in the handling of the wpmlsubscriber_id parameter, which lacks proper escaping and prepared statement usage. Unauthenticated attackers can append additional SQL queries to existing database operations. Successful exploitation enables extraction of sensitive information from the WordPress database, including user credentials, session tokens, and configuration data.
Critical Impact
Unauthenticated remote attackers can extract sensitive database contents from affected WordPress sites by injecting SQL through the wpmlsubscriber_id parameter.
Affected Products
- Newsletters plugin for WordPress (newsletters-lite), all versions through 4.13
- WordPress sites using the affected plugin with the wpmlsubscriber_id endpoint exposed
- Patched in the changeset published as version 4.14
Discovery Timeline
- 2026-06-10 - CVE CVE-2026-3018 published to NVD
- 2026-06-10 - Last updated in NVD database
Technical Details for CVE-2026-3018
Vulnerability Analysis
The vulnerability is a classic time-based blind SQL injection. The Newsletters plugin accepts the wpmlsubscriber_id parameter from user input and concatenates it into a SQL query without sufficient sanitization or use of prepared statements. The affected code path is referenced in wp-mailinglist-plugin.php near line 6040. Because the response does not directly echo query results, attackers rely on time-based payloads such as SLEEP() constructs to infer data one byte at a time. The injection occurs in a pre-authentication context, making it reachable by any anonymous visitor.
Root Cause
The root cause is insufficient escaping of user-supplied input combined with the absence of $wpdb->prepare() parameterization on the SQL query. WordPress provides safe query APIs, but the plugin builds the query string through direct interpolation. Any non-integer or specially crafted value passed as wpmlsubscriber_id becomes part of the executed SQL statement.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker sends an HTTP request to the vulnerable endpoint with a crafted wpmlsubscriber_id parameter containing SQL syntax. By measuring response delays produced by injected SLEEP or BENCHMARK functions, the attacker extracts database contents character by character. Automated tooling such as sqlmap can perform the extraction without manual interaction.
No verified public exploit code is available. See the Wordfence Vulnerability Report and the WordPress Plugin Code Review for technical details of the affected query.
Detection Methods for CVE-2026-3018
Indicators of Compromise
- HTTP requests containing the wpmlsubscriber_id parameter with non-numeric values or SQL keywords such as SLEEP, BENCHMARK, UNION, or SELECT.
- Web server access logs showing repeated requests to Newsletters plugin endpoints with consistent response delays in multiples of seconds.
- Database slow query logs showing unexpected SLEEP() or long-running SELECT operations originating from the plugin context.
Detection Strategies
- Inspect WordPress access logs for query strings referencing wpmlsubscriber_id paired with URL-encoded SQL syntax such as %20AND%20, %27, or %28SELECT.
- Deploy web application firewall rules that flag SQL injection payload patterns targeting the Newsletters plugin parameters.
- Correlate response time anomalies on plugin endpoints with repeated requests from the same source IP to identify blind injection campaigns.
Monitoring Recommendations
- Enable MySQL or MariaDB query logging on the WordPress database and alert on SLEEP() calls in production query streams.
- Monitor outbound database traffic from the web tier for sustained sequential queries indicative of automated extraction.
- Track the installed version of the Newsletters plugin across sites and alert on hosts running 4.13 or earlier.
How to Mitigate CVE-2026-3018
Immediate Actions Required
- Update the Newsletters plugin to the version released in changeset 3566485 or later, which removes the unsafe query construction.
- If immediate patching is not possible, deactivate and remove the Newsletters plugin until the update is applied.
- Review database audit logs and authentication tables for evidence of unauthorized data access prior to remediation.
Patch Information
The vendor addressed the issue in the WordPress Plugin Change Set. Administrators should apply the patched release through the WordPress plugin updater or by replacing the plugin files directly. Verify the installed version after update to confirm remediation.
Workarounds
- Block requests containing the wpmlsubscriber_id parameter at the web application firewall until the patch is deployed.
- Restrict access to Newsletters plugin endpoints by IP allowlisting if the functionality is only required for internal users.
- Enforce strict input validation at a reverse proxy layer to reject non-integer values for the wpmlsubscriber_id parameter.
# Example ModSecurity rule to block SQLi attempts on the vulnerable parameter
SecRule ARGS:wpmlsubscriber_id "@rx (?i)(sleep|benchmark|union|select|--|;)" \
"id:1026301,\
phase:2,\
deny,\
status:403,\
msg:'CVE-2026-3018 Newsletters plugin SQLi attempt blocked'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
