Creative Mail plugin SQL injection SQL injection flaw (CVE-2026-3985)
Vulnerability
Summary
Hide ▲
Show ▼
A SQL injection flaw in the Creative Mail plugin exposes database read access, including admin hashes and secret tokens. The issue is tracked as CVE-2026-3985 and requires WooCommerce alongside Creative Mail to reach the vulnerable path. A working proof of concept was produced, and the plugin was pulled from the WordPress store pending review. Sites running that combination face immediate credential and token disclosure risk until a patch is available.
Timeline
-
15.07.2026 17:01 2 articles · 2h ago
Creative Mail plugin SQL injection exposes database data
Initial DisclosureIntruder disclosed CVE-2026-3985, a multi-stage SQL injection in the Creative Mail WordPress plugin that can expose database contents, including admin hashes and secret tokens. Exploitation requires WooCommerce to be installed alongside Creative Mail, and the team produced a working proof of concept with a password-hash extraction method. The plugin was pulled from the WordPress store pending review, and sites running Creative Mail with WooCommerce were told to disable it until a patch is available.
Show sources
- We built a vulnerability vending machine: AI tokens in, zero-days out — www.bleepingcomputer.com — 15.07.2026 17:01
- We built a vulnerability vending machine: AI tokens in, zero-days out — www.bleepingcomputer.com — 15.07.2026 17:01