Find notable cyber news and cases, enriched with sources, timelines, and signals.

Creative Mail plugin SQL injection SQL injection flaw (CVE-2026-3985)

Vulnerability
First reported
Last updated
Happening score
H score 50
1 unique sources, 1 articles

Summary

Hide ▲

A SQL injection flaw in the Creative Mail plugin exposes database read access, including admin hashes and secret tokens. The issue is tracked as CVE-2026-3985 and requires WooCommerce alongside Creative Mail to reach the vulnerable path. A working proof of concept was produced, and the plugin was pulled from the WordPress store pending review. Sites running that combination face immediate credential and token disclosure risk until a patch is available.

Timeline

  1. 15.07.2026 17:01 2 articles · 2h ago

    Creative Mail plugin SQL injection exposes database data

    Initial Disclosure

    Intruder disclosed CVE-2026-3985, a multi-stage SQL injection in the Creative Mail WordPress plugin that can expose database contents, including admin hashes and secret tokens. Exploitation requires WooCommerce to be installed alongside Creative Mail, and the team produced a working proof of concept with a password-hash extraction method. The plugin was pulled from the WordPress store pending review, and sites running Creative Mail with WooCommerce were told to disable it until a patch is available.

    Show sources