CVE-2026-1651 is a SQL Injection vulnerability classified under CWE-89 affecting the Icegram Email Subscribers & Newsletters plugin for WordPress, versions up to and including 5.9.16. The vulnerability stems from insufficient escaping and lack of proper preparation of the 'workflow_ids' parameter in SQL queries. Authenticated attackers with administrator-level privileges can exploit this flaw by injecting additional SQL commands into existing queries, potentially extracting sensitive data from the backend database. The attack vector is network-based (remote), requiring no user interaction but necessitating high privileges (administrator or above). The vulnerability does not impact availability but compromises confidentiality and integrity by enabling unauthorized data access and potential manipulation. Although no public exploits are currently known, the widespread use of WordPress and this plugin increases the risk of targeted attacks. The CVSS v3.1 base score of 6.5 reflects a medium severity, considering the ease of exploitation by privileged users and the significant impact on data confidentiality and integrity. The vulnerability was publicly disclosed in early March 2026, with no official patches yet linked, emphasizing the need for immediate mitigation steps.

The primary impact of this vulnerability is the unauthorized disclosure and potential manipulation of sensitive data stored in the WordPress site's database. Attackers with administrator access can leverage the SQL Injection flaw to extract confidential subscriber information, email lists, and possibly other sensitive site data. This can lead to privacy violations, data breaches, and reputational damage for organizations relying on the plugin for email marketing and notifications. Although the vulnerability requires high privileges, insider threats or compromised admin accounts can facilitate exploitation. The integrity of the database can also be compromised if attackers modify SQL queries to alter data. The availability of the system is not directly affected, but the breach of confidentiality and integrity can have severe operational and compliance consequences. Organizations worldwide using this plugin are at risk, especially those handling sensitive customer data or operating in regulated industries.

1. Apply patches or updates from the vendor as soon as they become available to address the SQL Injection vulnerability. 2. Until patches are released, restrict administrator-level access to trusted personnel only and enforce strong authentication mechanisms such as multi-factor authentication (MFA). 3. Employ Web Application Firewalls (WAFs) with SQL Injection detection and prevention capabilities to monitor and block malicious payloads targeting the 'workflow_ids' parameter. 4. Conduct regular security audits and code reviews of WordPress plugins to identify and remediate insecure coding practices. 5. Limit the use of plugins to those that are actively maintained and have a strong security track record. 6. Backup databases regularly and ensure backups are securely stored to enable recovery in case of data compromise. 7. Monitor logs for unusual database query patterns or unauthorized access attempts to detect exploitation attempts early. 8. Educate administrators on the risks of privilege misuse and the importance of secure credential management.