CVE-2026-8978
Published: Sat, 06 Jun 2026 04:17
Summary
The OptinCraft – Drag & Drop Optins & Popup Builder for WordPress plugin for WordPress is vulnerable to generic SQL Injection via the 'order_by' parameter in all versions up to, and including, 1.2.0 d
Details
The OptinCraft – Drag & Drop Optins & Popup Builder for WordPress plugin for WordPress is vulnerable to generic SQL Injection via the 'order_by' parameter in all versions up to, and including, 1.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Are YOU affected by CVE-2026-8978?
5-second check on your actual server. Reads /etc/os-release, uname -r, and dpkg-query; matches against the live USN + Debian Security Tracker feeds; tells you whether CVE-2026-8978 (and any other live CVE) applies. Anonymous, no signup.
curl https://mindsparkstack.com/scan.sh | bash
References
- https://plugins.trac.wordpress.org/browser/optincraft/tags/1.0.2/app/Http/Controllers/Admin/CampaignController.php#L37
- https://plugins.trac.wordpress.org/browser/optincraft/tags/1.0.2/app/Repositories/CampaignRepository.php#L55
- https://plugins.trac.wordpress.org/browser/optincraft/tags/1.0.2/vendor/vendor-src/wpmvc/database/src/Query/Compilers/Compiler.php#L286
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3554161%40optincraft&new=3554161%40optincraft&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/f28a95b0-0f7d-43c4-acf9-13c561245f4b?source=cve
StackPatch runs this match against YOUR installed packages every hour
Free 1-server / $99 lifetime founder seat (50 only) / $19+/mo monthly. Indie pricing.