CVE-2026-7618

EnvíaloSimple: Email Marketing y Newsletters <= 2.4.5 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter

mediumImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
4.9
CVSS Score
4.9
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
High
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=2.4.5
PublishedMay 26, 2026
Last updatedJune 2, 2026
Research Plan
Unverified

This research plan outlines the steps required to identify and exploit the authenticated SQL Injection vulnerability (CVE-2026-7618) in the "EnvíaloSimple: Email Marketing y Newsletters" plugin. --- ### 1. Vulnerability Summary The "EnvíaloSimple: Email Marketing y Newsletters" plugin (up to versi…

Show full research plan

This research plan outlines the steps required to identify and exploit the authenticated SQL Injection vulnerability (CVE-2026-7618) in the "EnvíaloSimple: Email Marketing y Newsletters" plugin.


1. Vulnerability Summary

The "EnvíaloSimple: Email Marketing y Newsletters" plugin (up to version 2.4.5) contains a time-based blind SQL Injection vulnerability via the orderby parameter. The vulnerability exists because the plugin directly concatenates user-supplied input from the orderby parameter into a raw SQL query without sufficient sanitization or using $wpdb->prepare(). Because ORDER BY clauses cannot be parameterized using standard placeholders in MySQL, developers must use strict whitelisting; the lack of this whitelist allows an attacker to append conditional logic (like SLEEP()) to the query.

2. Attack Vector Analysis

  • Endpoint: Likely an administrative dashboard page (e.g., /wp-admin/admin.php) or an AJAX handler (/wp-admin/admin-ajax.php).
  • Vulnerable Parameter: orderby
  • Authentication Requirement: Administrator level access.
  • Payload Type: Time-based blind SQL Injection.
  • Preconditions: The plugin must be active, and the attacker must be logged in as an administrator.

3. Code Flow (Inferred)

Since source files are not provided, the following trace is based on standard WordPress plugin patterns for orderby vulnerabilities:

  1. Entry Point: An administrator accesses a plugin page that displays a list (e.g., subscribers, campaigns, or lists).
  2. Hook Registration: The plugin likely uses add_menu_page or add_submenu_page to register a menu item. The callback function for this page is where the logic resides.
  3. Input Handling: The callback function retrieves the sort order from $_GET['orderby'].
  4. Database Sink: The $orderby variable is concatenated into an SQL string:
    // Hypothetical vulnerable code
    $orderby = $_GET['orderby']; 
    $results = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}envialosimple_subscribers ORDER BY $orderby ASC");
    
  5. Execution: The $wpdb->get_results() function executes the malformed query.

4. Nonce Acquisition Strategy

If the vulnerability is located on a standard WordPress admin list page (using WP_List_Table), a nonce might not be required for the GET request itself. However, if the vulnerability is inside an AJAX-based table reload:

  1. Identify the Page: Navigate to the EnvíaloSimple menu in the admin dashboard.
  2. Grep for Localized Data: Search the plugin source for wp_localize_script.
  3. Variable Identification: Look for a script that enqueues an AJAX nonce (e.g., window.envialosimple_obj?.nonce).
  4. Extraction:
    • Navigate to the specific plugin page using browser_navigate.
    • Use browser_eval("window.envialosimple_vars?.nonce") (inferred variable name) to retrieve the token.

5. Exploitation Strategy

The goal is to confirm the SQLi using a time-based payload.

Step 1: Locate the Vulnerable Page
Search the plugin directory for the orderby parameter usage:

grep -rn "orderby" . | grep -E "\$_GET|\$_POST|\$_REQUEST"

Also, find where the admin menu is registered:

grep -rn "add_menu_page" .

Step 2: Construct the Payload
Since the injection is in the ORDER BY clause, a payload using CASE or IF is most effective:
(CASE WHEN (1=1) THEN id ELSE SLEEP(5) END)

Step 3: Send the HTTP Request
Use the http_request tool to perform the injection as an authenticated administrator.

  • URL: http://localhost:8080/wp-admin/admin.php?page=[PAGE_SLUG]&orderby=(SELECT(6)FROM(SELECT(SLEEP(5)))a)
  • Method: GET
  • Headers: Must include the Administrator's session cookies.

Payload for Data Extraction:
To extract the admin's password hash:
(SELECT IF(ASCII(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1))=36,SLEEP(5),1))
(36 is the ASCII code for '$', which is the start of WP hashes).

4. Test Data Setup

  1. Plugin Installation: Install and activate EnvíaloSimple <= 2.4.5.
  2. User Creation: Ensure an administrator user exists (default admin / password).
  3. Data Generation: Some tables might need at least one record for the ORDER BY to trigger effectively.
    • Create a dummy subscriber or email list via the plugin UI.

5. Expected Results

  • Normal Request: The page loads in standard time (e.g., < 500ms).
  • Payload (False): orderby=(SELECT(6)FROM(SELECT(SLEEP(0)))a) -> Page loads in standard time.
  • Payload (True): orderby=(SELECT(6)FROM(SELECT(SLEEP(5)))a) -> Page response is delayed by exactly 5 seconds.

6. Verification Steps

  1. Verify with WP-CLI: After confirming the vulnerability via time-delay, check the database logs if possible, or use WP-CLI to see if the plugin created specific tables.
    wp db query "SELECT * FROM wp_envialosimple_subscribers LIMIT 1"
    
  2. Exfiltration Verification: Run a script that guesses the first character of the site's DB_NAME using the SLEEP() method and verify the result against the actual wp-config.php.

7. Alternative Approaches

If the ORDER BY is wrapped in a way that prevents subqueries:

  • Error-Based SQLi: Try triggering a division by zero if errors are visible:
    orderby=(SELECT IF(1=1,1,(SELECT 1/0)))
  • Boolean-Based (if sorting changes):
    1. Observe the order of IDs with orderby=id.
    2. Inject orderby=IF(1=1,id,email).
    3. If the sort order changes based on the condition, boolean-based extraction is possible.
Research Findings
Static analysis — not yet PoC-verified

Summary

The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in versions up to 2.4.5. Authenticated administrators can exploit this to extract sensitive information from the database by injecting conditional SLEEP() commands into the ORDER BY clause of SQL queries.

Vulnerable Code

// Inferred from Research Plan - Hypothetical vulnerable code
// envialosimple-email-marketing-y-newsletters-gratis/admin/subscribers.php

$orderby = $_GET['orderby']; 
$results = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}envialosimple_subscribers ORDER BY $orderby ASC");

Security Fix

--- a/envialosimple-email-marketing-y-newsletters-gratis/admin/subscribers.php
+++ b/envialosimple-email-marketing-y-newsletters-gratis/admin/subscribers.php
@@ -20,7 +20,10 @@
- $orderby = $_GET['orderby'];
+ $allowed_columns = array('id', 'name', 'email', 'created_at');
+ $orderby = ( isset( $_GET['orderby'] ) && in_array( $_GET['orderby'], $allowed_columns ) ) ? $_GET['orderby'] : 'id';
+ 
+ $order = ( isset( $_GET['order'] ) && strtoupper( $_GET['order'] ) === 'DESC' ) ? 'DESC' : 'ASC';
 
- $results = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}envialosimple_subscribers ORDER BY $orderby ASC");
+ $results = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}envialosimple_subscribers ORDER BY $orderby $order");

Exploit Outline

To exploit this vulnerability, an attacker must first authenticate as a user with Administrator privileges. By navigating to a plugin dashboard page that lists subscribers or campaigns, the attacker identifies a GET request using the 'orderby' parameter. The attacker then injects a time-based payload into this parameter, such as '(SELECT(1)FROM(SELECT(SLEEP(5)))a)'. If the server response is delayed by 5 seconds, the vulnerability is confirmed, and the attacker can proceed to exfiltrate database records character-by-character using conditional time delays.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.