CVE-2025-3107

Name of the Vulnerable Software and Affected Versions Newsletters plugin for WordPress versions up to and including 4.9.9.8

Description The issue allows authenticated attackers with Contributor-level access or higher to inject additional SQL queries into existing ones, potentially extracting sensitive information from the database. This is due to insufficient escaping of the user-supplied orderby parameter and lack of proper preparation of the existing SQL query.

Recommendations For versions up to and including 4.9.9.8, update to a version higher than 4.9.9.8 to resolve the issue. As a temporary workaround, consider restricting access to the orderby parameter in the affected API endpoint until a patch is available.