CVE-2026-7618
Time-Based Blind SQL Injection in EnvíaloSimple WordPress Plugin
Publication date: 2026-05-27
Last updated on: 2026-05-27
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| envialosimple | email_marketing_y_newsletters | to 2.4.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The EnvíaloSimple: Email Marketing y Newsletters plugin for WordPress has a time-based blind SQL Injection vulnerability in the 'orderby' parameter in all versions up to and including 2.4.5.
This vulnerability exists because the plugin does not properly escape user-supplied input and does not sufficiently prepare the SQL query, allowing attackers to append additional SQL commands.
Only authenticated users with administrator-level access or higher can exploit this vulnerability to extract sensitive information from the database.
How can this vulnerability impact me? :
An attacker with administrator-level access can exploit this vulnerability to perform time-based blind SQL Injection attacks.
This can lead to unauthorized extraction of sensitive information from the database.
The vulnerability has a CVSS base score of 4.9, indicating a medium severity impact primarily on confidentiality.