CVE-2026-3985

Creative Mail · Creative Mail – Easier WordPress & WooCommerce Email Marketing

The Creative Mail plugin for WordPress is vulnerable to SQL injection via the 'checkout_uuid' parameter, allowing unauthorized database interactions.

Executive summary

The Creative Mail plugin for WordPress contains a high-severity SQL injection vulnerability that could allow attackers to manipulate database queries and compromise site data.

Vulnerability

This vulnerability is an SQL injection flaw triggered via the 'checkout_uuid' parameter. Based on the plugin architecture, this flaw can likely be exploited by an unauthenticated attacker to execute arbitrary SQL commands against the WordPress database.

Business impact

Successful exploitation of this SQL injection vulnerability could result in unauthorized access to sensitive customer data, including email marketing lists and WooCommerce transaction details. Given the CVSS score of 7.5, this represents a significant risk to data integrity and confidentiality, potentially leading to regulatory compliance failures and reputational damage.

Remediation

Immediate Action: Update the Creative Mail plugin to the latest available version provided by the vendor. If an update is not currently available, consider disabling or uninstalling the plugin until a secure version is released.

Proactive Monitoring: Review database error logs for suspicious query patterns or unexpected SQL syntax errors. Monitor web traffic for malicious payloads targeting the 'checkout_uuid' parameter.

Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block SQL injection patterns targeting WordPress plugin parameters.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Organizations utilizing the Creative Mail plugin must prioritize this update to prevent potential data breaches. Given the critical nature of SQL injection vulnerabilities, immediate mitigation is required to protect the integrity of the WordPress environment.