CVE-2025-3107: 
WordPress vulnerability analysis and mitigation

The Newsletters plugin for WordPress is vulnerable to time-based SQL Injection via the 'orderby' parameter in versions up to and including 4.9.9.8. The vulnerability was discovered and disclosed on May 13, 2025. This security issue affects the plugin's shortcode functionality and impacts authenticated users with Contributor-level access or higher (NVD).

The vulnerability exists due to insufficient escaping on the user-supplied 'orderby' parameter and lack of sufficient preparation on existing SQL queries. The issue has been assigned a CVSS v3.1 base score of 6.5 MEDIUM (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N). The vulnerability is located in the shortcode.php file of the plugin, specifically in the history function where the 'orderby' parameter is processed (Wiz).

The vulnerability allows authenticated attackers with Contributor-level access or higher to append additional SQL queries to existing queries, which can be exploited to extract sensitive information from the WordPress database. This could potentially expose subscriber data, email content, and other confidential information stored in the database (NVD).

The vulnerability has been patched in version 4.9.9.9 of the Newsletters plugin. Users are strongly advised to update to this version immediately. The update includes proper validation of the orderby parameter and implements additional security measures to prevent SQL injection attacks (Tribulant).