PatchSiren cyber security CVE debrief
CVE-2026-3985 constantcontact CVE debrief
The Creative Mail – Easier WordPress & WooCommerce Email Marketing plugin for WordPress is vulnerable to SQL Injection via the 'checkout_uuid' parameter in all versions up to, and including, 1.6.9. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the `has_checkout_consent()` method. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
- Vendor
- constantcontact
- Product
- Creative Mail – Easier WordPress & WooCommerce Email Marketing
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-20
- Original CVE updated
- 2026-05-20
- Advisory published
- 2026-05-20
- Advisory updated
- 2026-05-20
Who should care
WordPress site administrators using the Creative Mail plugin, WooCommerce store operators, security teams monitoring WordPress installations, and hosting providers managing shared WordPress environments should prioritize patching this vulnerability due to its unauthenticated nature and high confidentiality impact.
Technical summary
The vulnerability exists in the `has_checkout_consent()` method where the 'checkout_uuid' parameter is not properly escaped before being incorporated into SQL queries. The parameter is user-supplied and reachable without authentication. The insufficient preparation of the SQL query allows attackers to inject additional SQL statements, potentially enabling extraction of sensitive database contents including user credentials, order information, and other WordPress site data. The attack complexity is low and requires no privileges or user interaction, making this easily exploitable.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade the Creative Mail plugin to a version newer than 1.6.9 as soon as a patched version becomes available
- If immediate patching is not possible, consider temporarily disabling the plugin or implementing Web Application Firewall (WAF) rules to filter malicious 'checkout_uuid' parameter inputs
- Review database access logs for suspicious query patterns that may indicate exploitation attempts
- Apply principle of least privilege to database accounts used by WordPress installations
- Monitor for unauthorized data access or exfiltration from WordPress database
Evidence notes
The vulnerability is classified as CWE-89 (SQL Injection). The CVSS 3.1 vector is AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, indicating network-based attack with low complexity, no privileges required, no user interaction, and high impact on confidentiality. The vulnerability status in NVD is 'Deferred'. Source references include WordPress plugin repository code browser links showing the affected code in CheckoutManager.php and DatabaseManager.php, as well as a Wordfence threat intelligence advisory.
Official resources
The vulnerability was disclosed on 2026-05-20 and affects all versions up to and including 1.6.9 of the Creative Mail plugin. The issue stems from improper sanitization of the 'checkout_uuid' parameter in the `has_checkout_consent()` method