Attack Vectors

CVE-2026-1651 affects the WordPress plugin Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress (slug: email-subscribers) in versions up to 5.9.16. It is rated Medium severity (CVSS 6.5).

This issue can be exploited by an authenticated user with Administrator-level access (or higher). In practical business terms, that means the most likely “entry point” is not anonymous website traffic, but rather a compromised admin account, a malicious insider, or an attacker who gains elevated access through password reuse, phishing, or weak account controls.

The vulnerable input is the “workflow_ids” parameter. If an attacker can reach the affected functionality in the admin context, they may be able to manipulate database requests through that parameter.

Security Weakness

The vulnerability is an SQL Injection caused by insufficient escaping of user-supplied input and insufficient preparation of an existing database query involving the workflow_ids parameter (in all versions up to and including 5.9.16).

Put simply for non-technical stakeholders: the plugin can be tricked into asking the database a different question than intended. Even though this requires administrator-level access, it still represents a meaningful risk because admin accounts are high-value targets and are frequently involved in real-world breaches.

Remediation is straightforward: update to version 5.9.17 or newer, which is the patched release line cited by the source.

Technical or Business Impacts

If exploited, this weakness can enable an attacker to extract sensitive information from the WordPress database. Depending on what your site stores, this may include customer or subscriber data, operational details, and other information that can create downstream risk.

From a business-risk perspective, the impacts can include privacy and compliance exposure (if personal data is accessed), loss of trust with customers and subscribers, and incident response costs tied to containment, forensics, notifications, and post-incident hardening.

Because the attack requires Administrator+ privileges, leadership and compliance teams should treat this as both a software vulnerability and an identity/security governance issue: protecting admin accounts (MFA, access reviews, least privilege) is critical to reducing likelihood.

Similar Attacks

SQL injection has a long track record in major incidents. For context, here are a few widely documented examples (not specific to this plugin):

TalkTalk (2015) cyberattack — publicly reported as involving SQL injection and resulting in significant business disruption and regulatory scrutiny.

Heartland Payment Systems (2008–2009) breach — a major payment-industry incident widely discussed in security reporting, illustrating how database-layer attacks can have broad financial and reputational impact.