How is CVE-2026-3018 exploited?

Network reachability (required): The vulnerable parameter is exposed over the network via HTTP requests to the WordPress installation, so the attacker must be able to reach the service remotely. Authentication (not-required): No account or session token is needed; the wpmlsubscriber_id parameter accepts unauthenticated input. Victim interaction (not-required): The attacker sends crafted requests directly to the server; no user action or social engineering is involved. Attack complexity (info): Exploitation is reliable and condition-free: the injection point is consistently reachable and requires no special memory layout, race condition, or environmental prerequisite beyond network access.

What is the impact of CVE-2026-3018?

Reads arbitrary rows from the WordPress database, including user credentials (hashed passwords), email addresses, and session tokens stored in the wp_users and wp_usermeta tables. Extracts plugin and site configuration data, subscriber lists, and any personally identifiable information stored by the Newsletters plugin. Enables enumeration of WordPress user roles and privilege levels, giving an attacker a map for follow-on account-takeover attempts.

Back to search

HIGHCVE-2026-3018Published 2026-06-10Modified 2026-06-10CNA Wordfence

CVE-2026-3018: Newsletters <= 4.13 - Unauthenticated SQL Injection via wpmlsubscriber_id Parameter

Q: What is CVE-2026-3018?

Time-based SQL injection in the Newsletters plugin for WordPress (versions up to and including 4.13) allows an unauthenticated remote attacker to manipulate the wpmlsubscriber_id parameter and append arbitrary SQL to existing database queries. The vulnerability is reachable over the network with no login required and no victim interaction needed. Successful exploitation extracts sensitive data from the WordPress database. No fix version has been published; HarborGuard tracks the advisory and will make a patched rebuild available as soon as an upstream fix is released.

Q: Is CVE-2026-3018 patched?

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated version of the plugin is released. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will trigger automatically once a fix version becomes available.

The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the ‘wpmlsubscriber_id’ parameter in all versions up to, and including, 4.13 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Time-based SQL injection in the Newsletters plugin for WordPress (versions up to and including 4.13) allows an unauthenticated remote attacker to manipulate the wpmlsubscriber_id parameter and append arbitrary SQL to existing database queries. The vulnerability is reachable over the network with no login required and no victim interaction needed. Successful exploitation extracts sensitive data from the WordPress database. No fix version has been published; HarborGuard tracks the advisory and will make a patched rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection of CVE-2026-3018 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built WordPress images that bundle the Newsletters plugin at version 4.13 or earlier.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.5 (HIGH) and weighting it against each environment's compliance policy to determine urgency. Triage routing delivers the finding to the appropriate team inbox within each customer org based on image ownership and policy configuration.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment a remediated version of the plugin is released. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will trigger automatically once a fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable parameter is exposed over the network via HTTP requests to the WordPress installation, so the attacker must be able to reach the service remotely.
AuthenticationNot required
No account or session token is needed; the wpmlsubscriber_id parameter accepts unauthenticated input.
Victim interactionNot required
The attacker sends crafted requests directly to the server; no user action or social engineering is involved.
Attack complexityDetail
Exploitation is reliable and condition-free: the injection point is consistently reachable and requires no special memory layout, race condition, or environmental prerequisite beyond network access.

Blast Radius

Reads arbitrary rows from the WordPress database, including user credentials (hashed passwords), email addresses, and session tokens stored in the wp_users and wp_usermeta tables.
Extracts plugin and site configuration data, subscriber lists, and any personally identifiable information stored by the Newsletters plugin.
Enables enumeration of WordPress user roles and privilege levels, giving an attacker a map for follow-on account-takeover attempts.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-3018 is active and matches any image found to contain the Newsletters plugin at version 4.13 or earlier. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will automatically trigger a patched-image rebuild the moment a remediated version is published; customers with auto-remediation enabled will receive the rebuild, a regression test run, and a PR opened against affected workloads without manual intervention. In the interim, compensating controls worth considering include network-policy rules that restrict direct HTTP access to the WordPress installation from untrusted sources, web application firewall rules that filter or block requests carrying anomalous wpmlsubscriber_id values, and egress filtering on the database host to limit exfiltration paths even if injection succeeds.

See how HarborGuard automates this

Affected packages

contrid / Newsletters
≤ 4.13

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Metrics

Get notified