SQL Injection in Creative Mail WordPress Plugin: Your WooCommerce Store's Checkout Data Is Wide Open

Your WooCommerce Email Marketing Plugin Just Became an Attack Vector

If you're running a WooCommerce store with the Creative Mail plugin — and there are over 100,000 active installations — you need to stop what you're doing and patch. CVE-2026-3985 is a high-severity SQL injection (CVSS 7.5) that lets unauthenticated attackers query your database through the checkout_uuid parameter.

This isn't some obscure admin-only bug that requires a compromised account. This is reachable without authentication. On an e-commerce site. Where customer PII, order history, and payment metadata live. The stakes here are about as high as they get for a WordPress plugin vulnerability.

Let me walk you through exactly what's happening, how it's exploitable, and what you need to do about it today.

What Happened

The Creative Mail plugin — marketed as an "easier" way to handle WordPress and WooCommerce email marketing — contains a SQL injection vulnerability in all versions up to and including 1.6.9. The flaw exists in how the plugin handles the checkout_uuid parameter, which is used to track WooCommerce checkout sessions for email marketing automation.

The vulnerability was assigned CVE-2026-3985 with a CVSS score of 7.5 (HIGH). The attack vector is network-based, requires no authentication, and has low attack complexity. That's the trifecta of "this will be exploited in the wild."

What makes this particularly nasty is the context. Creative Mail integrates deeply with WooCommerce checkout flows. The checkout_uuid parameter is part of the plugin's mechanism for correlating abandoned carts and checkout events with email campaigns. It's exposed through AJAX endpoints or REST routes that handle checkout tracking — endpoints that by design need to be accessible without authentication.

The plugin developers at Jesuspended (Jeeng/Jeeng Creative) failed to properly sanitize or parameterize this input before passing it into a database query. Classic mistake, devastating consequences.

Technical Deep-Dive: How the Injection Works

The vulnerable pattern likely looks something like this in the plugin's PHP code. The checkout_uuid value comes in from a request and gets interpolated directly into a SQL query:

// Vulnerable pattern in Creative Mail <= 1.6.9
// File: creative-mail-by-jeeng/src/managers/CheckoutManager.php (approximate)

function get_checkout_data() {
    global $wpdb;
    
    $checkout_uuid = $_GET['checkout_uuid']; // or $_POST
    
    // VULNERABLE: Direct string interpolation in SQL
    $result = $wpdb->get_row(
        "SELECT * FROM {$wpdb->prefix}ce4wp_checkout 
         WHERE checkout_uuid = '" . $checkout_uuid . "'"
    );
    
    return $result;
}

The problem is obvious to anyone who's seen SQL injection before: no $wpdb->prepare(), no sanitization, no parameterized query. The checkout_uuid value goes straight from user input into the query string.

An attacker can exploit this with a straightforward time-based blind SQL injection. Since the endpoint might not return query results directly in the response, blind techniques extract data character by character:

GET /wp-admin/admin-ajax.php?action=ce4wp_checkout_data&checkout_uuid=' OR IF(SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),1,1)='$',SLEEP(5),0)-- - HTTP/1.1
Host: target-store.com

Or for a more direct UNION-based extraction if the response reflects data:

GET /wp-admin/admin-ajax.php?action=ce4wp_checkout_data&checkout_uuid=' UNION SELECT user_login,user_pass,user_email,4,5,6,7 FROM wp_users WHERE user_login='admin'-- - HTTP/1.1
Host: target-store.com

The root cause is the same thing that's been causing SQL injection since 1998: trusting user input and concatenating it into SQL strings. WordPress provides $wpdb->prepare() specifically to prevent this. It's been available since WordPress 2.3. There is no excuse for a plugin with 100k+ installs to ship code like this in 2026.

What makes this worse is that the checkout_uuid parameter is designed to be a UUID — a fixed-format string. Input validation alone (checking UUID format with a regex) would have prevented exploitation even without parameterized queries. Defense in depth was completely absent.

Impact: Who's Exposed and How Bad Is It

The blast radius here is significant. Creative Mail has 100,000+ active installations according to the WordPress plugin directory. These are predominantly WooCommerce stores — meaning the databases behind them contain customer names, email addresses, physical addresses, order histories, and potentially partial payment information.

With SQL injection access, an attacker can:

• Dump the entire `wp_users` table — admin credentials, customer accounts, password hashes
• Extract WooCommerce order data — names, addresses, phone numbers, order details from wp_wc_orders or wp_posts
• Read `wp_options` — which contains auth keys, salts, API credentials for payment gateways, SMTP passwords
• Potentially write data if the database user has INSERT/UPDATE privileges, enabling admin account creation

For any store subject to GDPR, PCI-DSS, or similar regulations, a successful exploitation of this vulnerability is a reportable data breach. The fact that it's unauthenticated means you can't even scope the incident by looking at authenticated sessions — any IP could have exploited this.

What To Do Right Now

Step 1: Update immediately. The fix should be available in version 1.7.0 or later of the Creative Mail plugin. Run this now:

# Update via WP-CLI
wp plugin update creative-mail-by-jeeng

# Verify the installed version
wp plugin get creative-mail-by-jeeng --field=version

If you can't update immediately, deactivate the plugin until you can:

wp plugin deactivate creative-mail-by-jeeng

Step 2: Check your logs for exploitation attempts. Look for suspicious values in the checkout_uuid parameter:

# Search access logs for SQLi indicators in checkout_uuid
grep -iE "checkout_uuid=.*('|UNION|SELECT|SLEEP|BENCHMARK|OR\+|OR%20)" /var/log/nginx/access.log /var/log/apache2/access.log

Step 3: Add a WAF rule as defense in depth. If you're running ModSecurity, Cloudflare, or Wordfence, ensure SQL injection rules are active on AJAX endpoints. A targeted rule:

# Cloudflare WAF custom rule (expression)
(http.request.uri.query contains "checkout_uuid" and 
 http.request.uri.query matches "(?i)(union|select|sleep|benchmark|'|--|;)")

Step 4: If you find evidence of exploitation, treat it as a full database compromise. Rotate all secrets in wp-config.php, force-reset all user passwords, rotate API keys for payment gateways, and notify affected customers per your regulatory obligations.

Warning: Don't assume you're safe just because you don't see exploitation in logs. Blind SQL injection via SLEEP-based timing attacks leaves minimal log artifacts beyond the request itself. If the plugin was vulnerable and internet-facing, assume the worst and rotate credentials.

The Bigger Picture

This is yet another reminder that the WordPress plugin ecosystem remains a minefield. A plugin that handles e-commerce checkout data — one of the most sensitive flows in any web application — shipped without basic input sanitization. Not a complex logic bug. Not a race condition. A textbook SQL injection that any static analysis tool would flag.

If you're running WooCommerce in production, you need to treat every third-party plugin as a potential liability. Audit what plugins have access to checkout and order data. Run $wpdb->prepare() searches against plugin source code before installing. And for anything touching PII or payment flows, consider whether the plugin's convenience is worth the risk surface it introduces.

The pattern repeats: marketing plugins get deep database access for "personalization" features, but don't get the security scrutiny that access demands. Your email marketing integration shouldn't be the reason you end up on a breach notification list.