CVE-2026-3985: Creative Mail WordPress Plugin SQLi Flaw

CVE-2026-3985 Overview

CVE-2026-3985 is an SQL Injection vulnerability in the Creative Mail – Easier WordPress & WooCommerce Email Marketing plugin for WordPress. The flaw affects all versions up to and including 1.6.9. It exists in the has_checkout_consent() method, which fails to sufficiently escape the user-supplied checkout_uuid parameter and does not properly prepare the SQL query. Unauthenticated attackers can append additional SQL statements to existing queries and extract sensitive data from the WordPress database. The vulnerability is classified under CWE-89, Improper Neutralization of Special Elements used in an SQL Command.

Critical Impact

Unauthenticated attackers can extract sensitive database contents — including user credentials, session tokens, and customer data — from any WordPress site running a vulnerable Creative Mail plugin installation.

Affected Products

• Creative Mail – Easier WordPress & WooCommerce Email Marketing plugin
• All plugin versions up to and including 1.6.9
• WordPress sites with the plugin enabled and reachable over the network

Discovery Timeline

• 2026-05-20 - CVE-2026-3985 published to NVD
• 2026-05-20 - Last updated in NVD database

Technical Details for CVE-2026-3985

Vulnerability Analysis

The vulnerability resides in the has_checkout_consent() method within the plugin's DatabaseManager.php file. The method accepts a checkout_uuid value originating from CheckoutManager.php and incorporates it into an SQL query without using parameterized statements or adequate input escaping. Because the query construction relies on direct string handling rather than prepared statements via $wpdb->prepare(), attacker-controlled input becomes part of the executed SQL syntax.

An unauthenticated remote attacker can craft a checkout_uuid payload that terminates the original query context and appends arbitrary SQL operations. Typical exploitation paths include UNION-based extraction of data from the wp_users table, time-based blind injection to enumerate schema contents, and exfiltration of session and authentication metadata. The CWE-89 classification reflects the absence of safe query construction in a code path reachable without authentication.

Root Cause

The root cause is insufficient escaping of the user-supplied checkout_uuid parameter combined with a lack of query preparation in has_checkout_consent(). The plugin trusts request input and concatenates it directly into the SQL statement.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker issues a single crafted HTTP request to the plugin's checkout consent endpoint, supplying a malicious checkout_uuid value. The injected SQL executes against the WordPress backend database with the privileges of the WordPress database user.

No verified public exploit code is available at this time. See the Wordfence Vulnerability Report and the vulnerable source in DatabaseManager.php for technical details of the affected method.

Detection Methods for CVE-2026-3985

Indicators of Compromise

• HTTP requests containing SQL metacharacters such as UNION SELECT, SLEEP(, --, /*, or single quotes within the checkout_uuid parameter.
• Web server access logs showing repeated requests to Creative Mail plugin checkout endpoints from a single source IP within a short time window.
• Unexpected entries in MySQL slow query logs referencing the plugin's consent table or queries with abnormally long execution times.
• Outbound traffic from the WordPress host to attacker-controlled infrastructure shortly after suspicious requests.

Detection Strategies

• Deploy Web Application Firewall (WAF) rules that inspect the checkout_uuid parameter for SQL syntax and reject non-UUID-formatted values.
• Enable MySQL general or audit logging on the WordPress database to capture anomalous query structures from the plugin code path.
• Correlate WordPress access logs with database query logs to identify request-to-query patterns indicative of injection attempts.
• Scan installed WordPress plugins for the vulnerable version 1.6.9 or earlier using plugin inventory tooling.

Monitoring Recommendations

• Monitor HTTP request bodies and query strings for SQL injection signatures targeting WordPress plugin endpoints.
• Alert on response time anomalies that may indicate time-based blind SQL injection probing.
• Track new or modified WordPress administrator accounts that could be created by an attacker following data extraction.

How to Mitigate CVE-2026-3985

Immediate Actions Required

• Inventory all WordPress sites and identify installations of the Creative Mail plugin at version 1.6.9 or earlier.
• Update the Creative Mail plugin to a version newer than 1.6.9 once released by the vendor; if no fixed version is available, deactivate and remove the plugin.
• Rotate WordPress administrator passwords, API keys, and database credentials on any site where exploitation is suspected.
• Review user, options, and session tables for unauthorized modifications or new accounts.

Patch Information

At time of publication, the vulnerability is documented against all versions up to and including 1.6.9. Site administrators should consult the Wordfence Vulnerability Report and the plugin repository for the latest fixed release.

Workarounds

• Disable and uninstall the Creative Mail plugin until a patched version is installed.
• Apply WAF rules that enforce strict UUID format validation on the checkout_uuid parameter and block requests containing SQL keywords.
• Restrict database privileges of the WordPress MySQL user to the minimum required, removing rights such as FILE and unnecessary CREATE/DROP privileges.

# Example ModSecurity rule to block non-UUID checkout_uuid values
SecRule ARGS:checkout_uuid "!@rx ^[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}$" \
    "id:1026398501,phase:2,deny,status:403,\
    msg:'CVE-2026-3985 Creative Mail SQLi attempt - invalid checkout_uuid format'"