Critical Vulnerability Discovered in WordPress Plugin Email Subscribers by Icegram Express

A major security vulnerability has been identified in the Email Subscribers by Icegram Express WordPress plugin, potentially threatening the security of over 90,000 websites. This plugin, which is widely used for managing email subscriptions, newsletters, and marketing automation, is vulnerable to SQL injection attacks.

The vulnerability has been officially designated as CVE-2024-2876, and it has received a CVSS score of 9.8, indicating critical severity. The SQL injection vulnerability affects all versions of the plugin up to and including 5.7.25.

The vulnerability stems from improper handling of user supplied parameters in the plugin’s code, particularly within the run function of the IG_ES_Subscribers_Query class. This allows malicious injections and the execution of arbitrary SQL queries within the WordPress database without authentication. Exploiting this flaw, attackers can extract sensitive information, modify database contents, and potentially gain administrative control over the affected site.

To mitigate the risk, users of the Email Subscribers by Icegram Express plugin should upgrade to version 5.7.26 right away. You should also consider using WordPress’s feature to enable automatic updates for this and other plugins to ensure any future vulnerabilities are promptly patched.

Author: Jamie Moynahan Jamie is the Support Manager at Pipe Ten, being an integral part of the team for well over 10 years. Jamie is a seasoned expert with the intricacies in the fast changing world of website applications, hosting and domain name registration. This broad knowledge is instrumental to the entire customer support experience which purely.website members have come to rely on. Jamie has written and published hundreds of articles about hosting and managing website applications and domain name registration management processes.