CVE-2022-0439

HIGH NUCLEI

Email Subscribers & Newsletters <5.3.2 - SQL Injection

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2022-0439. PoCs published by RandomRobbieBF. A Nuclei detection template is also available.

AI-analyzed exploit summary This PoC exploits a blind SQL injection vulnerability in the Email Subscribers & Newsletters WordPress plugin (CVE-2022-0439). It automates the process of fetching user hashes via sqlmap after authenticating with valid credentials.

Description

The Email Subscribers & Newsletters WordPress plugin before 5.3.2 does not correctly escape the `order` and `orderby` parameters to the `ajax_fetch_report_list` action, making it vulnerable to blind SQL injection attacks by users with roles as low as Subscriber. Further, it does not have any CSRF protection in place for the action, allowing an attacker to trick any logged in user to perform the action by clicking a link.

Exploits (1)

nomisec WORKING POC 1 stars

by RandomRobbieBF · poc

https://github.com/RandomRobbieBF/CVE-2022-0439

View Code ZIP pw:eip

This PoC exploits a blind SQL injection vulnerability in the Email Subscribers & Newsletters WordPress plugin (CVE-2022-0439). It automates the process of fetching user hashes via sqlmap after authenticating with valid credentials.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Email Subscribers & Newsletters < 5.3.2

Auth required

Prerequisites: Valid WordPress credentials with subscriber+ role · sqlmap installed · Target running vulnerable plugin version

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

Nuclei Templates (1)

Email Subscribers & Newsletters <= 5.3.1 - Authenticated SQL Injection

HIGHVERIFIEDby Shivam Kamboj

References (1)

Core 1

Core References

Exploit, Third Party Advisory exploit vdb-entry technical-description

https://wpscan.com/vulnerability/729d3e67-d081-4a4e-ac1e-f6b0a184f095

Scores

CVSS v3 8.8

EPSS 0.0418

EPSS Percentile 89.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-352 CWE-89

Status published

Products (1)

icegram/email_subscribers_\&_newsletters < 5.3.2

Published Mar 07, 2022

Tracked Since Feb 18, 2026