Refine your search
34 vulnerabilities found for by Icegram
CVE-2026-1651 (GCVE-0-2026-1651)
Vulnerability from cvelistv5
Published
2026-03-04 01:22
Modified
2026-04-08 17:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the 'workflow_ids' parameter in all versions up to, and including, 5.9.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| icegram | Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress |
Version: 0 ≤ 5.9.16 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1651",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-04T16:03:17.608622Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-04T16:03:23.277Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/stevenyu113228/6c5c3f660e6dc739768842c051028f40"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Email Subscribers \u0026 Newsletters \u2013 Email Marketing, Post Notifications \u0026 Newsletter Plugin for WordPress",
"vendor": "icegram",
"versions": [
{
"lessThanOrEqual": "5.9.16",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Chiao-Lin Yu"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the \u0027workflow_ids\u0027 parameter in all versions up to, and including, 5.9.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:26:58.228Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d8dc995d-912e-4d83-84cc-c99242022b82?source=cve"
},
{
"url": "https://downloads.wordpress.org/plugin/email-subscribers.5.9.15.zip"
},
{
"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/includes/workflows/db/class-es-db-workflows.php#L379"
},
{
"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.15/lite/includes/workflows/db/class-es-db-workflows.php#L379"
},
{
"url": "https://gist.github.com/stevenyu113228/6c5c3f660e6dc739768842c051028f40"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3464881/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-02-04T18:37:02.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2026-03-03T12:24:57.000Z",
"value": "Disclosed"
}
],
"title": "Email Subscribers \u0026 Newsletters \u003c= 5.9.16 - Authenticated (Administrator+) SQL Injection via \u0027workflow_ids\u0027 Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2026-1651",
"datePublished": "2026-03-04T01:22:00.212Z",
"dateReserved": "2026-01-29T19:16:28.205Z",
"dateUpdated": "2026-04-08T17:26:58.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68507 (GCVE-0-2025-68507)
Vulnerability from cvelistv5
Published
2026-01-22 16:52
Modified
2026-04-01 14:12
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing Authorization vulnerability in Icegram Icegram icegram allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Icegram: from n/a through <= 3.1.35.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-68507",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-28T15:37:30.532540Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T15:38:01.128Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "icegram",
"product": "Icegram",
"vendor": "Icegram",
"versions": [
{
"changes": [
{
"at": "3.1.36",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.1.35",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Legion Hunter | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:02:26.762Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Icegram Icegram icegram allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Icegram: from n/a through \u003c= 3.1.35.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Icegram Icegram icegram allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Icegram: from n/a through \u003c= 3.1.35."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:12:05.683Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/icegram/vulnerability/wordpress-icegram-plugin-3-1-35-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Icegram plugin \u003c= 3.1.35 - Broken Access Control vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-68507",
"datePublished": "2026-01-22T16:52:07.377Z",
"dateReserved": "2025-12-19T10:16:51.230Z",
"dateUpdated": "2026-04-01T14:12:05.683Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-68038 (GCVE-0-2025-68038)
Vulnerability from cvelistv5
Published
2025-12-24 13:10
Modified
2026-04-01 14:11
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
Deserialization of Untrusted Data vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Object Injection.This issue affects Icegram Express Pro: from n/a through < 5.9.14.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icegram | Icegram Express Pro |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-68038",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-24T18:53:56.363556Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-24T19:31:09.858Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "email-subscribers-premium",
"product": "Icegram Express Pro",
"vendor": "Icegram",
"versions": [
{
"changes": [
{
"at": "5.9.14",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.9.14",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "theviper17 | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:02:19.647Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Object Injection.\u003cp\u003eThis issue affects Icegram Express Pro: from n/a through \u003c 5.9.14.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Object Injection.This issue affects Icegram Express Pro: from n/a through \u003c 5.9.14."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:11:51.256Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/email-subscribers-premium/vulnerability/wordpress-icegram-express-pro-plugin-5-9-11-php-object-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress Icegram Express Pro plugin \u003c 5.9.14 - PHP Object Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-68038",
"datePublished": "2025-12-24T13:10:25.043Z",
"dateReserved": "2025-12-15T10:01:03.747Z",
"dateUpdated": "2026-04-01T14:11:51.256Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12348 (GCVE-0-2025-12348)
Vulnerability from cvelistv5
Published
2025-12-12 09:20
Modified
2026-04-08 17:21
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-306 - Missing Authentication for Critical Function
Summary
The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `run_action_scheduler_task` function. This makes it possible for unauthenticated attackers to execute scheduled actions early or repeatedly by guessing action IDs, potentially triggering email sends, maintenance tasks, or other privileged operations, causing unexpected state changes and resource usage.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| icegram | Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress |
Version: 0 ≤ 5.9.10 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12348",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T20:49:00.876134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T20:49:12.755Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Email Subscribers \u0026 Newsletters \u2013 Email Marketing, Post Notifications \u0026 Newsletter Plugin for WordPress",
"vendor": "icegram",
"versions": [
{
"lessThanOrEqual": "5.9.10",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adrian Lukita"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `run_action_scheduler_task` function. This makes it possible for unauthenticated attackers to execute scheduled actions early or repeatedly by guessing action IDs, potentially triggering email sends, maintenance tasks, or other privileged operations, causing unexpected state changes and resource usage."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:21:15.908Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c6ba7244-0ecf-412f-9b8b-6b81fa6cdeb5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L50"
},
{
"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-ig-es-background-process-helper.php#L194"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3394838/email-subscribers/trunk/lite/includes/classes/class-ig-es-background-process-helper.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-11T21:13:45.000Z",
"value": "Disclosed"
}
],
"title": "Email Subscribers \u0026 Newsletters \u003c= 5.9.10 - Missing Authentication to Unauthenticated Action Scheduler Task Execution"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12348",
"datePublished": "2025-12-12T09:20:29.470Z",
"dateReserved": "2025-10-27T14:21:51.223Z",
"dateUpdated": "2026-04-08T17:21:15.908Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66055 (GCVE-0-2025-66055)
Vulnerability from cvelistv5
Published
2025-11-21 12:29
Modified
2026-04-01 14:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
Deserialization of Untrusted Data vulnerability in Icegram Email Subscribers & Newsletters email-subscribers allows Object Injection.This issue affects Email Subscribers & Newsletters: from n/a through <= 5.9.10.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icegram | Email Subscribers & Newsletters |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-66055",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-21T14:26:54.405540Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T14:26:56.725Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "email-subscribers",
"product": "Email Subscribers \u0026 Newsletters",
"vendor": "Icegram",
"versions": [
{
"changes": [
{
"at": "5.9.11",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.9.10",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ananda Dhakal (Patchstack)"
}
],
"datePublic": "2026-04-01T16:01:17.392Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in Icegram Email Subscribers \u0026 Newsletters email-subscribers allows Object Injection.\u003cp\u003eThis issue affects Email Subscribers \u0026 Newsletters: from n/a through \u003c= 5.9.10.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Icegram Email Subscribers \u0026 Newsletters email-subscribers allows Object Injection.This issue affects Email Subscribers \u0026 Newsletters: from n/a through \u003c= 5.9.10."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:10:33.659Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/email-subscribers/vulnerability/wordpress-email-subscribers-newsletters-plugin-5-9-10-php-object-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress Email Subscribers \u0026 Newsletters plugin \u003c= 5.9.10 - PHP Object Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-66055",
"datePublished": "2025-11-21T12:29:53.666Z",
"dateReserved": "2025-11-21T11:20:39.725Z",
"dateUpdated": "2026-04-01T14:10:33.659Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12349 (GCVE-0-2025-12349)
Vulnerability from cvelistv5
Published
2025-11-19 04:28
Modified
2026-04-08 16:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-306 - Missing Authentication for Critical Function
Summary
The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `trigger_mailing_queue_sending` function. This makes it possible for unauthenticated attackers to force immediate email sending, bypass the schedule, increase server load, and change plugin state (e.g., last-cron-hit), enabling abuse or DoS-like effects.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| icegram | Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress |
Version: 0 ≤ 5.9.10 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12349",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T20:10:16.949251Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T20:10:33.978Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Email Subscribers \u0026 Newsletters \u2013 Email Marketing, Post Notifications \u0026 Newsletter Plugin for WordPress",
"vendor": "icegram",
"versions": [
{
"lessThanOrEqual": "5.9.10",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adrian Lukita"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `trigger_mailing_queue_sending` function. This makes it possible for unauthenticated attackers to force immediate email sending, bypass the schedule, increase server load, and change plugin state (e.g., last-cron-hit), enabling abuse or DoS-like effects."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:34:50.368Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0b4cbe21-9f1b-425b-8141-ae075baaf717?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L54"
},
{
"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L1132"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3394838%40email-subscribers%2Ftrunk\u0026old=3393565%40email-subscribers%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-18T16:15:48.000Z",
"value": "Disclosed"
}
],
"title": "Email Subscribers \u0026 Newsletters \u003c= 5.9.10 - Missing Authentication to Unauthenticated Mailing Queue Trigger"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12349",
"datePublished": "2025-11-19T04:28:18.783Z",
"dateReserved": "2025-10-27T14:22:50.164Z",
"dateUpdated": "2026-04-08T16:34:50.368Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-49917 (GCVE-0-2025-49917)
Vulnerability from cvelistv5
Published
2025-10-22 14:32
Modified
2026-04-01 14:07
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
Server-Side Request Forgery (SSRF) vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Server Side Request Forgery.This issue affects Icegram Express Pro: from n/a through <= 5.9.5.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icegram | Icegram Express Pro |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-49917",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-23T14:23:34.484297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-23T14:23:41.190Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "email-subscribers-premium",
"product": "Icegram Express Pro",
"vendor": "Icegram",
"versions": [
{
"changes": [
{
"at": "5.9.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.9.5",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "theviper17 | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T15:59:03.649Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Server-Side Request Forgery (SSRF) vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Server Side Request Forgery.\u003cp\u003eThis issue affects Icegram Express Pro: from n/a through \u003c= 5.9.5.\u003c/p\u003e"
}
],
"value": "Server-Side Request Forgery (SSRF) vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Server Side Request Forgery.This issue affects Icegram Express Pro: from n/a through \u003c= 5.9.5."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "Server Side Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T14:07:42.390Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/email-subscribers-premium/vulnerability/wordpress-icegram-express-pro-plugin-5-9-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"title": "WordPress Icegram Express Pro plugin \u003c= 5.9.5 - Server Side Request Forgery (SSRF) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-49917",
"datePublished": "2025-10-22T14:32:12.630Z",
"dateReserved": "2025-06-11T16:06:59.982Z",
"dateUpdated": "2026-04-01T14:07:42.390Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-47527 (GCVE-0-2025-47527)
Vulnerability from cvelistv5
Published
2025-06-09 15:54
Modified
2026-04-01 15:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing Authorization vulnerability in Icegram Icegram Collect icegram-rainmaker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Icegram Collect: from n/a through <= 1.3.18.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icegram | Icegram Collect |
Version: 0 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-47527",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-09T17:16:37.606905Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T17:23:06.702Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "icegram-rainmaker",
"product": "Icegram Collect",
"vendor": "Icegram",
"versions": [
{
"changes": [
{
"at": "1.3.19",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.3.18",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "ch4r0n | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:40:05.958Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Icegram Icegram Collect icegram-rainmaker allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Icegram Collect: from n/a through \u003c= 1.3.18.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Icegram Icegram Collect icegram-rainmaker allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Icegram Collect: from n/a through \u003c= 1.3.18."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:53:28.723Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/icegram-rainmaker/vulnerability/wordpress-icegram-collect-easy-form-lead-collection-and-subscription-plugin-1-3-18-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "WordPress Icegram Collect \u2013 Easy Form, Lead Collection and Subscription plugin \u003c= 1.3.18 - Broken Access Control Vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-47527",
"datePublished": "2025-06-09T15:54:09.986Z",
"dateReserved": "2025-05-07T09:39:46.951Z",
"dateUpdated": "2026-04-01T15:53:28.723Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-24542 (GCVE-0-2025-24542)
Vulnerability from cvelistv5
Published
2025-01-24 17:24
Modified
2026-04-01 15:43
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Icegram Icegram icegram allows Stored XSS.This issue affects Icegram: from n/a through <= 3.1.31.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-24542",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-01-24T18:47:49.786497Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-01-24T19:01:52.526Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "icegram",
"product": "Icegram",
"vendor": "Icegram",
"versions": [
{
"changes": [
{
"at": "3.1.32",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.1.31",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "savphill | Patchstack Bug Bounty Program"
}
],
"datePublic": "2026-04-01T16:33:55.795Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Icegram Icegram icegram allows Stored XSS.\u003cp\u003eThis issue affects Icegram: from n/a through \u003c= 3.1.31.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Icegram Icegram icegram allows Stored XSS.This issue affects Icegram: from n/a through \u003c= 3.1.31."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "Stored XSS"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:43:58.404Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/Wordpress/Plugin/icegram/vulnerability/wordpress-icegram-engage-plugin-3-1-31-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "WordPress Icegram Engage plugin \u003c= 3.1.31 - Cross Site Scripting (XSS) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-24542",
"datePublished": "2025-01-24T17:24:20.830Z",
"dateReserved": "2025-01-23T14:50:05.373Z",
"dateUpdated": "2026-04-01T15:43:58.404Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-39625 (GCVE-0-2024-39625)
Vulnerability from cvelistv5
Published
2024-11-01 14:17
Modified
2024-11-01 18:24
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing Authorization vulnerability in icegram Icegram allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Icegram: from n/a through 3.1.24.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:icegram:icegram:-:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unaffected",
"product": "icegram",
"vendor": "icegram",
"versions": [
{
"lessThanOrEqual": "3.1.24",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-39625",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-01T18:23:26.331117Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T18:24:16.414Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "icegram",
"product": "Icegram",
"vendor": "icegram",
"versions": [
{
"changes": [
{
"at": "3.1.25",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.1.24",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dhabaleshwar Das (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in icegram Icegram allows Accessing Functionality Not Properly Constrained by ACLs.\u003cp\u003eThis issue affects Icegram: from n/a through 3.1.24.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in icegram Icegram allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Icegram: from n/a through 3.1.24."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T14:17:54.939Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/icegram/wordpress-icegram-engage-plugin-3-1-24-unauthenticated-message-duplication-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 3.1.25 or a higher version."
}
],
"value": "Update to 3.1.25 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Icegram Engage plugin \u003c= 3.1.24 - Unauthenticated Message Duplication Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-39625",
"datePublished": "2024-11-01T14:17:54.939Z",
"dateReserved": "2024-06-26T21:17:39.688Z",
"dateUpdated": "2024-11-01T18:24:16.414Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43273 (GCVE-0-2024-43273)
Vulnerability from cvelistv5
Published
2024-11-01 14:17
Modified
2024-11-01 17:53
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing Authorization vulnerability in icegram Icegram Collect plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Icegram Collect plugin: from n/a through 1.3.14.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| icegram | Icegram Collect |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43273",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-01T17:53:13.991162Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T17:53:34.100Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "icegram-rainmaker",
"product": "Icegram Collect",
"vendor": "icegram",
"versions": [
{
"changes": [
{
"at": "1.3.15",
"status": "unaffected"
}
],
"lessThanOrEqual": "1.3.14",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dhabaleshwar Das (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in icegram Icegram Collect plugin allows Exploiting Incorrectly Configured Access Control Security Levels.\u003cp\u003eThis issue affects Icegram Collect plugin: from n/a through 1.3.14.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in icegram Icegram Collect plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Icegram Collect plugin: from n/a through 1.3.14."
}
],
"impacts": [
{
"capecId": "CAPEC-180",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-180 Exploiting Incorrectly Configured Access Control Security Levels"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-11-01T14:17:33.236Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/icegram-rainmaker/wordpress-icegram-collect-easy-form-lead-collection-and-subscription-plugin-plugin-1-3-14-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 1.3.15 or a higher version."
}
],
"value": "Update to 1.3.15 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Icegram Collect plugin \u003c= 1.3.14 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-43273",
"datePublished": "2024-11-01T14:17:33.236Z",
"dateReserved": "2024-08-09T09:20:56.506Z",
"dateUpdated": "2024-11-01T17:53:34.100Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-8254 (GCVE-0-2024-8254)
Vulnerability from cvelistv5
Published
2024-10-02 06:46
Modified
2026-04-08 17:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Summary
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.7.34. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| icegram | Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress |
Version: 0 ≤ 5.7.34 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8254",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-10-02T13:35:50.032802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-10-02T13:35:59.445Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Email Subscribers \u0026 Newsletters \u2013 Email Marketing, Post Notifications \u0026 Newsletter Plugin for WordPress",
"vendor": "icegram",
"versions": [
{
"lessThanOrEqual": "5.7.34",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arkadiusz Hydzik"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Email Subscribers by Icegram Express \u2013 Email Marketing, Newsletters, Automation for WordPress \u0026 WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.7.34. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94 Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:02:53.509Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7d4ae4a7-aec1-4cc1-bea0-61dde44027fc?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.7.29/lite/includes/class-es-common.php#L244"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3157336/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-10-01T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Email Subscribers by Icegram Express \u2013 Email Marketing, Newsletters, Automation for WordPress \u0026 WooCommerce \u003c= 5.7.34 - Authenticated (Subscriber+) Arbitrary Shortcode Execution"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-8254",
"datePublished": "2024-10-02T06:46:02.280Z",
"dateReserved": "2024-08-28T01:19:41.928Z",
"dateUpdated": "2026-04-08T17:02:53.509Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-8771 (GCVE-0-2024-8771)
Vulnerability from cvelistv5
Published
2024-09-26 15:30
Modified
2026-04-08 17:34
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'preview_email_template_design' function in all versions up to, and including, 5.7.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including the content of private, password protected, pending, and draft posts and pages.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| icegram | Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress |
Version: 0 ≤ 5.7.34 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-8771",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-26T15:45:42.939705Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-09-26T15:50:39.039Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Email Subscribers \u0026 Newsletters \u2013 Email Marketing, Post Notifications \u0026 Newsletter Plugin for WordPress",
"vendor": "icegram",
"versions": [
{
"lessThanOrEqual": "5.7.34",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Michelle Porter"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Email Subscribers by Icegram Express \u2013 Email Marketing, Newsletters, Automation for WordPress \u0026 WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the \u0027preview_email_template_design\u0027 function in all versions up to, and including, 5.7.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including the content of private, password protected, pending, and draft posts and pages."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:34:15.472Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f9d90717-fd48-493b-9293-32976bf2cada?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/admin/class-email-subscribers-admin.php#L1754"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3157336/"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-09-25T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Email Subscribers by Icegram Express \u2013 Email Marketing, Newsletters, Automation for WordPress \u0026 WooCommerce \u003c= 5.7.34 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-8771",
"datePublished": "2024-09-26T15:30:33.922Z",
"dateReserved": "2024-09-12T22:37:35.074Z",
"dateUpdated": "2026-04-08T17:34:15.472Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-43272 (GCVE-0-2024-43272)
Vulnerability from cvelistv5
Published
2024-08-19 17:43
Modified
2024-08-19 18:00
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-306 - Missing Authentication for Critical Function
Summary
Missing Authentication for Critical Function vulnerability in icegram Icegram allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Icegram: from n/a through 3.1.24.
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:icegram:icegram:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "icegram",
"vendor": "icegram",
"versions": [
{
"lessThanOrEqual": "3.1.24",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43272",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-19T17:59:25.873738Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-19T18:00:52.607Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "icegram",
"product": "Icegram",
"vendor": "icegram",
"versions": [
{
"changes": [
{
"at": "3.1.25",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.1.24",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Dhabaleshwar Das (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authentication for Critical Function vulnerability in icegram Icegram allows Accessing Functionality Not Properly Constrained by ACLs.\u003cp\u003eThis issue affects Icegram: from n/a through 3.1.24.\u003c/p\u003e"
}
],
"value": "Missing Authentication for Critical Function vulnerability in icegram Icegram allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Icegram: from n/a through 3.1.24."
}
],
"impacts": [
{
"capecId": "CAPEC-1",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-1 Accessing Functionality Not Properly Constrained by ACLs"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-19T17:43:36.166Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/icegram/wordpress-icegram-engage-plugin-3-1-24-unauthenticated-unpublished-campaign-viewer-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 3.1.25 or a higher version."
}
],
"value": "Update to 3.1.25 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Icegram Engage plugin \u003c= 3.1.24 - Unauthenticated Unpublished Campaign Viewer vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-43272",
"datePublished": "2024-08-19T17:43:36.166Z",
"dateReserved": "2024-08-09T09:20:56.506Z",
"dateUpdated": "2024-08-19T18:00:52.607Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-43344 (GCVE-0-2024-43344)
Vulnerability from cvelistv5
Published
2024-08-18 13:20
Modified
2024-08-19 14:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Icegram allows Stored XSS.This issue affects Icegram: from n/a through 3.1.25.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-43344",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-19T14:42:34.528791Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-19T14:42:48.931Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "icegram",
"product": "Icegram",
"vendor": "Icegram",
"versions": [
{
"changes": [
{
"at": "3.1.26",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.1.25",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Savphill (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Icegram allows Stored XSS.\u003cp\u003eThis issue affects Icegram: from n/a through 3.1.25.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027) vulnerability in Icegram allows Stored XSS.This issue affects Icegram: from n/a through 3.1.25."
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or \u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-08-18T13:20:04.506Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/icegram/wordpress-icegram-engage-ultimate-wp-popup-builder-lead-generation-optins-and-cta-plugin-3-1-25-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 3.1.26 or a higher version."
}
],
"value": "Update to 3.1.26 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Icegram Engage \u2013 Ultimate WP Popup Builder, Lead Generation, Optins, and CTA plugin \u003c= 3.1.25 - Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-43344",
"datePublished": "2024-08-18T13:20:04.506Z",
"dateReserved": "2024-08-09T09:22:15.636Z",
"dateUpdated": "2024-08-19T14:42:48.931Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5703 (GCVE-0-2024-5703)
Vulnerability from cvelistv5
Published
2024-07-17 07:32
Modified
2026-04-08 16:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized API access due to a missing capability check in all versions up to, and including, 5.7.26. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access the API (provided it is enabled) and add, edit, and delete audience users.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| icegram | Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress |
Version: 0 ≤ 5.7.26 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5703",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-17T14:34:43.220163Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T14:34:51.808Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:18:07.029Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/22283650-36bf-43e5-a57e-a91025fb2af7?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/admin/class-es-rest-api-admin.php#L25"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3118326/email-subscribers/trunk/lite/admin/class-es-rest-api-admin.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Email Subscribers \u0026 Newsletters \u2013 Email Marketing, Post Notifications \u0026 Newsletter Plugin for WordPress",
"vendor": "icegram",
"versions": [
{
"lessThanOrEqual": "5.7.26",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arkadiusz Hydzik"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Email Subscribers by Icegram Express \u2013 Email Marketing, Newsletters, Automation for WordPress \u0026 WooCommerce plugin for WordPress is vulnerable to unauthorized API access due to a missing capability check in all versions up to, and including, 5.7.26. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access the API (provided it is enabled) and add, edit, and delete audience users."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:41:36.408Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/22283650-36bf-43e5-a57e-a91025fb2af7?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/admin/class-es-rest-api-admin.php#L25"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3118326/email-subscribers/trunk/lite/admin/class-es-rest-api-admin.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-16T18:52:06.000Z",
"value": "Disclosed"
}
],
"title": "Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin \u003c= 5.7.26 - Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-5703",
"datePublished": "2024-07-17T07:32:18.614Z",
"dateReserved": "2024-06-06T16:54:13.986Z",
"dateUpdated": "2026-04-08T16:41:36.408Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-6172 (GCVE-0-2024-6172)
Vulnerability from cvelistv5
Published
2024-07-02 06:49
Modified
2026-04-08 16:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the db parameter in all versions up to, and including, 5.7.25 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. CVE-2024-37252 appears to be a duplicate of this issue.
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| icegram | Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress |
Version: 0 ≤ 5.7.25 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:icegram:email_subscribers_\\\u0026_newsletters:-:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unaffected",
"product": "email_subscribers_\\\u0026_newsletters",
"vendor": "icegram",
"versions": [
{
"lessThanOrEqual": "5.7.25",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-6172",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-29T18:20:23.474021Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-29T18:28:29.450Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:33:05.052Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/13629598-d45d-4ff5-aeb5-6ac881d25183?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/includes/db/class-es-db-contacts.php#L834"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3107964/email-subscribers#file4"
},
{
"tags": [
"x_transferred"
],
"url": "https://wordpress.org/plugins/email-subscribers/#developers"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3107964%40email-subscribers%2Ftrunk\u0026old=3104864%40email-subscribers%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Email Subscribers \u0026 Newsletters \u2013 Email Marketing, Post Notifications \u0026 Newsletter Plugin for WordPress",
"vendor": "icegram",
"versions": [
{
"lessThanOrEqual": "5.7.25",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Khayal Farzaliyev"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Email Subscribers by Icegram Express \u2013 Email Marketing, Newsletters, Automation for WordPress \u0026 WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the db parameter in all versions up to, and including, 5.7.25 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. CVE-2024-37252 appears to be a duplicate of this issue."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:36:38.652Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/13629598-d45d-4ff5-aeb5-6ac881d25183?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/includes/db/class-es-db-contacts.php#L834"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3107964/email-subscribers#file4"
},
{
"url": "https://wordpress.org/plugins/email-subscribers/#developers"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3107964%40email-subscribers%2Ftrunk\u0026old=3104864%40email-subscribers%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-07-01T18:34:02.000Z",
"value": "Disclosed"
}
],
"title": "Email Subscribers by Icegram Express \u2013 Email Marketing, Newsletters, Automation for WordPress \u0026 WooCommerce \u003c= 5.7.25 - Unauthenticated SQL Injection via unsubscribe"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-6172",
"datePublished": "2024-07-02T06:49:42.989Z",
"dateReserved": "2024-06-19T18:58:05.648Z",
"dateUpdated": "2026-04-08T16:36:38.652Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-37252 (GCVE-0-2024-37252)
Vulnerability from cvelistv5
Published
2024-06-26 10:13
Modified
2024-08-02 03:50
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Icegram Email Subscribers & Newsletters allows SQL Injection.This issue affects Email Subscribers & Newsletters: from n/a through 5.7.25.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icegram | Email Subscribers & Newsletters |
Version: n/a < |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:icegram:email_subscribers_\\\u0026_newsletters:5.7.25:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "email_subscribers_\\\u0026_newsletters",
"vendor": "icegram",
"versions": [
{
"lessThanOrEqual": "5.7.25",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-37252",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-26T13:16:15.425496Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-26T13:17:27.879Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T03:50:55.555Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/email-subscribers/wordpress-email-subscribers-by-icegram-express-plugin-5-7-25-sql-injection-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "email-subscribers",
"product": "Email Subscribers \u0026 Newsletters",
"vendor": "Icegram",
"versions": [
{
"changes": [
{
"at": "5.7.26",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.7.25",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "shaman0x01 (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Icegram Email Subscribers \u0026amp; Newsletters allows SQL Injection.\u003cp\u003eThis issue affects Email Subscribers \u0026amp; Newsletters: from n/a through 5.7.25.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027) vulnerability in Icegram Email Subscribers \u0026 Newsletters allows SQL Injection.This issue affects Email Subscribers \u0026 Newsletters: from n/a through 5.7.25."
}
],
"impacts": [
{
"capecId": "CAPEC-66",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-66 SQL Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 9.3,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-26T10:46:22.510Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/email-subscribers/wordpress-email-subscribers-by-icegram-express-plugin-5-7-25-sql-injection-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;5.7.26 or a higher version."
}
],
"value": "Update to\u00a05.7.26 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Email Subscribers by Icegram Express plugin \u003c= 5.7.25 - SQL Injection vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-37252",
"datePublished": "2024-06-26T10:13:48.219Z",
"dateReserved": "2024-06-04T16:46:44.985Z",
"dateUpdated": "2024-08-02T03:50:55.555Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-5756 (GCVE-0-2024-5756)
Vulnerability from cvelistv5
Published
2024-06-21 04:34
Modified
2026-04-08 17:20
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the db parameter in all versions up to, and including, 5.7.23 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| icegram | Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress |
Version: 0 ≤ 5.7.23 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:icegram:email_subscribers_\\\u0026_newsletters:-:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unaffected",
"product": "email_subscribers_\\\u0026_newsletters",
"vendor": "icegram",
"versions": [
{
"lessThanOrEqual": "5.7.23",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-5756",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-27T18:06:42.487259Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-01T18:32:42.792Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T21:18:07.052Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5bd11c6-2f55-4eee-834a-c4e405482b9c?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/includes/db/class-es-db-contacts.php#L532"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3101638/email-subscribers/trunk/lite/includes/db/class-es-db-contacts.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Email Subscribers \u0026 Newsletters \u2013 Email Marketing, Post Notifications \u0026 Newsletter Plugin for WordPress",
"vendor": "icegram",
"versions": [
{
"lessThanOrEqual": "5.7.23",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arkadiusz Hydzik"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Email Subscribers by Icegram Express \u2013 Email Marketing, Newsletters, Automation for WordPress \u0026 WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the db parameter in all versions up to, and including, 5.7.23 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:20:59.520Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c5bd11c6-2f55-4eee-834a-c4e405482b9c?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/includes/db/class-es-db-contacts.php#L532"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3101638/email-subscribers/trunk/lite/includes/db/class-es-db-contacts.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-06-20T16:01:32.000Z",
"value": "Disclosed"
}
],
"title": "Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin \u003c= 5.7.23 - Unauthenticated SQL Injection via optin"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-5756",
"datePublished": "2024-06-21T04:34:10.900Z",
"dateReserved": "2024-06-07T17:14:58.254Z",
"dateUpdated": "2026-04-08T17:20:59.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-4845 (GCVE-0-2024-4845)
Vulnerability from cvelistv5
Published
2024-06-12 09:33
Modified
2026-04-08 16:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
The Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘options[list_id]’ parameter in all versions up to, and including, 5.7.22 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| icegram | Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress |
Version: 0 ≤ 5.7.22 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4845",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-12T18:23:11.440802Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-12T18:23:20.760Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:55:10.037Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/21be2215-8ce0-438e-94e0-6a350b8cc952?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3098321/email-subscribers"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Email Subscribers \u0026 Newsletters \u2013 Email Marketing, Post Notifications \u0026 Newsletter Plugin for WordPress",
"vendor": "icegram",
"versions": [
{
"lessThanOrEqual": "5.7.22",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arkadiusz Hydzik"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Icegram Express plugin for WordPress is vulnerable to SQL Injection via the \u2018options[list_id]\u2019 parameter in all versions up to, and including, 5.7.22 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:41:29.774Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/21be2215-8ce0-438e-94e0-6a350b8cc952?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3098321/email-subscribers"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-28T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-06-11T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Icegram Express \u003c= 5.7.22 - Authenticated (Subscriber+) SQL Injection Vulnerability via options[list_id]"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4845",
"datePublished": "2024-06-12T09:33:11.896Z",
"dateReserved": "2024-05-13T17:23:36.368Z",
"dateUpdated": "2026-04-08T16:41:29.774Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-21748 (GCVE-0-2024-21748)
Vulnerability from cvelistv5
Published
2024-06-08 16:14
Modified
2024-08-01 22:27
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
Missing Authorization vulnerability in Icegram.This issue affects Icegram: from n/a through 3.1.21.
References
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-21748",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-07-16T18:10:33.558569Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-17T15:48:18.341Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:27:36.015Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/icegram/wordpress-icegram-engage-plugin-3-1-20-broken-access-control-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "icegram",
"product": "Icegram",
"vendor": "Icegram",
"versions": [
{
"changes": [
{
"at": "3.1.22",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.1.21",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Huynh Tien Si (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Missing Authorization vulnerability in Icegram.\u003cp\u003eThis issue affects Icegram: from n/a through 3.1.21.\u003c/p\u003e"
}
],
"value": "Missing Authorization vulnerability in Icegram.This issue affects Icegram: from n/a through 3.1.21."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-06-08T16:14:02.597Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/icegram/wordpress-icegram-engage-plugin-3-1-20-broken-access-control-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 3.1.22 or a higher version."
}
],
"value": "Update to 3.1.22 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Icegram Engage plugin \u003c= 3.1.21 - Broken Access Control vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-21748",
"datePublished": "2024-06-08T16:14:02.597Z",
"dateReserved": "2024-01-02T09:05:10.995Z",
"dateUpdated": "2024-08-01T22:27:36.015Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-4295 (GCVE-0-2024-4295)
Vulnerability from cvelistv5
Published
2024-06-05 05:33
Modified
2026-04-08 16:57
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘hash’ parameter in all versions up to, and including, 5.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| icegram | Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress |
Version: 0 ≤ 5.7.20 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4295",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-05T14:20:47.482540Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-05T14:20:59.349Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:33:53.096Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/641123af-1ec6-4549-a58c-0a08b4678f45?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3090845/email-subscribers/trunk/lite/includes/db/class-es-db-lists-contacts.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Email Subscribers \u0026 Newsletters \u2013 Email Marketing, Post Notifications \u0026 Newsletter Plugin for WordPress",
"vendor": "icegram",
"versions": [
{
"lessThanOrEqual": "5.7.20",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "AmrAwad"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the \u2018hash\u2019 parameter in all versions up to, and including, 5.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:57:28.398Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/641123af-1ec6-4549-a58c-0a08b4678f45?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3090845/email-subscribers/trunk/lite/includes/db/class-es-db-lists-contacts.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-30T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-06-04T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Email Subscribers by Icegram Express \u003c= 5.7.20 - Unauthenticated SQL Injection via hash"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4295",
"datePublished": "2024-06-05T05:33:05.595Z",
"dateReserved": "2024-04-27T17:06:34.258Z",
"dateUpdated": "2026-04-08T16:57:28.398Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-3626 (GCVE-0-2024-3626)
Vulnerability from cvelistv5
Published
2024-05-23 05:32
Modified
2026-04-08 16:55
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_template_content function in all versions up to, and including, 5.7.17. This makes it possible for authenticated attackers, with subscriber access and above, to obtain the contents of private and password-protected posts.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| icegram | Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress |
Version: 0 ≤ 5.7.17 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-3626",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-23T19:51:31.121119Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:31:42.787Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:19:58.905Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a56e621-2508-4500-b865-4d5e4463b91a?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/includes/class-email-subscribers.php#L1063"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/admin/class-email-subscribers-admin.php#L849"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3072302%40email-subscribers%2Ftrunk\u0026old=3069441%40email-subscribers%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Email Subscribers \u0026 Newsletters \u2013 Email Marketing, Post Notifications \u0026 Newsletter Plugin for WordPress",
"vendor": "icegram",
"versions": [
{
"lessThanOrEqual": "5.7.17",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Thura Moe Myint"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Email Subscribers by Icegram Express \u2013 Email Marketing, Newsletters, Automation for WordPress \u0026 WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_template_content function in all versions up to, and including, 5.7.17. This makes it possible for authenticated attackers, with subscriber access and above, to obtain the contents of private and password-protected posts."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:55:00.767Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5a56e621-2508-4500-b865-4d5e4463b91a?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/includes/class-email-subscribers.php#L1063"
},
{
"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/admin/class-email-subscribers-admin.php#L849"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3072302%40email-subscribers%2Ftrunk\u0026old=3069441%40email-subscribers%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2024-05-22T16:40:42.000Z",
"value": "Disclosed"
}
],
"title": "Email Subscribers by Icegram Express \u2013 Email Marketing, Newsletters, Automation for WordPress \u0026 WooCommerce \u003c= 5.7.17 - Missing Authorization"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-3626",
"datePublished": "2024-05-23T05:32:14.816Z",
"dateReserved": "2024-04-10T18:11:57.892Z",
"dateUpdated": "2026-04-08T16:55:00.767Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-4010 (GCVE-0-2024-4010)
Vulnerability from cvelistv5
Published
2024-05-15 08:34
Modified
2026-04-08 16:41
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-862 - Missing Authorization
Summary
The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on the handle_ajax_request function in all versions up to, and including, 5.7.19. This makes it possible for authenticated attackers, with subscriber-level access and above, to cause a loss of confidentiality, integrity, and availability, by performing multiple unauthorized actions. Some of these actions could also be leveraged to conduct PHP Object Injection and SQL Injection attacks.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| icegram | Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress |
Version: 0 ≤ 5.7.19 |
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:icegram:email_subscribers_\\\u0026_newsletters:-:*:*:*:*:wordpress:*:*"
],
"defaultStatus": "unknown",
"product": "email_subscribers_\\\u0026_newsletters",
"vendor": "icegram",
"versions": [
{
"lessThanOrEqual": "5.7.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-4010",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-06-10T20:29:25.253735Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-01T18:32:27.132Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T20:26:57.257Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/23bfcdd1-b99d-47eb-9f88-96f9ecc53b32?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3083762/email-subscribers"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Email Subscribers \u0026 Newsletters \u2013 Email Marketing, Post Notifications \u0026 Newsletter Plugin for WordPress",
"vendor": "icegram",
"versions": [
{
"lessThanOrEqual": "5.7.19",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arkadiusz Hydzik"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on the handle_ajax_request function in all versions up to, and including, 5.7.19. This makes it possible for authenticated attackers, with subscriber-level access and above, to cause a loss of confidentiality, integrity, and availability, by performing multiple unauthorized actions. Some of these actions could also be leveraged to conduct PHP Object Injection and SQL Injection attacks."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-862",
"description": "CWE-862 Missing Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:41:59.939Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/23bfcdd1-b99d-47eb-9f88-96f9ecc53b32?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3083762/email-subscribers"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-19T00:00:00.000Z",
"value": "Vendor Notified"
},
{
"lang": "en",
"time": "2024-05-14T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Email Subscribers by Icegram Express \u003c= 5.7.19 - Missing Authorization in handle_ajax_request"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-4010",
"datePublished": "2024-05-15T08:34:12.914Z",
"dateReserved": "2024-04-19T17:18:27.684Z",
"dateUpdated": "2026-04-08T16:41:59.939Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-2876 (GCVE-0-2024-2876)
Vulnerability from cvelistv5
Published
2024-05-02 16:52
Modified
2026-04-08 17:28
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Summary
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'run' function of the 'IG_ES_Subscribers_Query' class in all versions up to, and including, 5.7.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| icegram | Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress |
Version: 0 ≤ 5.7.14 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2876",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-05-02T18:12:38.653217Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-04T17:29:13.796Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:25:42.164Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e0ca6ac4-0d89-4601-94fc-cce5a0af9c56?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/WordpressPluginDirectory/email-subscribers/blob/main/email-subscribers/lite/includes/classes/class-ig-es-subscriber-query.php#L304"
},
{
"tags": [
"x_transferred"
],
"url": "https://github.com/WordpressPluginDirectory/email-subscribers/blob/main/email-subscribers/lite/admin/class-email-subscribers-admin.php#L1433"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3060251/email-subscribers/trunk/lite/includes/classes/class-ig-es-subscriber-query.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Email Subscribers \u0026 Newsletters \u2013 Email Marketing, Post Notifications \u0026 Newsletter Plugin for WordPress",
"vendor": "icegram",
"versions": [
{
"lessThanOrEqual": "5.7.14",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Arkadiusz Hydzik"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Email Subscribers by Icegram Express \u2013 Email Marketing, Newsletters, Automation for WordPress \u0026 WooCommerce plugin for WordPress is vulnerable to SQL Injection via the \u0027run\u0027 function of the \u0027IG_ES_Subscribers_Query\u0027 class in all versions up to, and including, 5.7.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T17:28:47.811Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e0ca6ac4-0d89-4601-94fc-cce5a0af9c56?source=cve"
},
{
"url": "https://github.com/WordpressPluginDirectory/email-subscribers/blob/main/email-subscribers/lite/includes/classes/class-ig-es-subscriber-query.php#L304"
},
{
"url": "https://github.com/WordpressPluginDirectory/email-subscribers/blob/main/email-subscribers/lite/admin/class-email-subscribers-admin.php#L1433"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3060251/email-subscribers/trunk/lite/includes/classes/class-ig-es-subscriber-query.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-15T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin \u003c= 5.7.14 - Unauthenticated SQL Injection"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2876",
"datePublished": "2024-05-02T16:52:46.382Z",
"dateReserved": "2024-03-25T20:45:21.270Z",
"dateUpdated": "2026-04-08T17:28:47.811Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-2656 (GCVE-0-2024-2656)
Vulnerability from cvelistv5
Published
2024-04-06 03:24
Modified
2026-04-08 16:36
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a CSV import in all versions up to, and including, 5.7.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| icegram | Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress |
Version: 0 ≤ 5.7.15 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-2656",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-04-08T13:23:52.716885Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-06-19T19:32:35.401Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-01T19:18:48.293Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"x_transferred"
],
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/159ddb06-e7c4-4279-a8a1-c78a02e15891?source=cve"
},
{
"tags": [
"x_transferred"
],
"url": "https://plugins.trac.wordpress.org/changeset/3063438/email-subscribers/trunk/lite/includes/classes/class-es-import-subscribers.php"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Email Subscribers \u0026 Newsletters \u2013 Email Marketing, Post Notifications \u0026 Newsletter Plugin for WordPress",
"vendor": "icegram",
"versions": [
{
"lessThanOrEqual": "5.7.15",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Peter Potrowl"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Email Subscribers by Icegram Express \u2013 Email Marketing, Newsletters, Automation for WordPress \u0026 WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a CSV import in all versions up to, and including, 5.7.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-08T16:36:59.355Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/159ddb06-e7c4-4279-a8a1-c78a02e15891?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3063438/email-subscribers/trunk/lite/includes/classes/class-es-import-subscribers.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2024-04-05T00:00:00.000Z",
"value": "Disclosed"
}
],
"title": "Icegram Express \u003c= 5.7.14 - Authenticated (Administrator+) Cross-Site Scripting via CSV import"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2024-2656",
"datePublished": "2024-04-06T03:24:43.105Z",
"dateReserved": "2024-03-19T15:53:38.061Z",
"dateUpdated": "2026-04-08T16:36:59.355Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-22300 (GCVE-0-2024-22300)
Vulnerability from cvelistv5
Published
2024-03-27 05:56
Modified
2024-08-06 19:02
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Icegram Email Subscribers & Newsletters allows Reflected XSS.This issue affects Email Subscribers & Newsletters: from n/a through 5.7.11.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icegram | Email Subscribers & Newsletters |
Version: n/a < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:43:34.199Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/email-subscribers/wordpress-icegram-express-plugin-5-7-11-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22300",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-08-06T19:02:11.324002Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-08-06T19:02:26.529Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "email-subscribers",
"product": "Email Subscribers \u0026 Newsletters",
"vendor": "Icegram",
"versions": [
{
"changes": [
{
"at": "5.7.12",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.7.11",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Rafie Muhammad (Patchstack)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Icegram Email Subscribers \u0026amp; Newsletters allows Reflected XSS.\u003cp\u003eThis issue affects Email Subscribers \u0026amp; Newsletters: from n/a through 5.7.11.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Icegram Email Subscribers \u0026 Newsletters allows Reflected XSS.This issue affects Email Subscribers \u0026 Newsletters: from n/a through 5.7.11.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-591",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-591 Reflected XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-03-27T05:56:51.502Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/email-subscribers/wordpress-icegram-express-plugin-5-7-11-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to 5.7.12 or a higher version."
}
],
"value": "Update to 5.7.12 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Icegram Express plugin \u003c= 5.7.11 - Reflected Cross Site Scripting (XSS) vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2024-22300",
"datePublished": "2024-03-27T05:56:51.502Z",
"dateReserved": "2024-01-08T20:58:38.881Z",
"dateUpdated": "2024-08-06T19:02:26.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-51532 (GCVE-0-2023-51532)
Vulnerability from cvelistv5
Published
2024-02-01 11:00
Modified
2024-08-02 22:40
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Icegram Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building allows Stored XSS.This issue affects Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building: from n/a through 3.1.19.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icegram | Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-51532",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-02-01T14:16:27.983282Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-07-23T17:22:00.958Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:40:33.180Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/icegram/wordpress-icegram-engage-plugin-3-1-19-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "icegram",
"product": "Icegram Engage \u2013 WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building",
"vendor": "Icegram",
"versions": [
{
"changes": [
{
"at": "3.1.20",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.1.19",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Huynh Tien Si (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Icegram Icegram Engage \u2013 WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building allows Stored XSS.\u003cp\u003eThis issue affects Icegram Engage \u2013 WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building: from n/a through 3.1.19.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027) vulnerability in Icegram Icegram Engage \u2013 WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building allows Stored XSS.This issue affects Icegram Engage \u2013 WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building: from n/a through 3.1.19.\n\n"
}
],
"impacts": [
{
"capecId": "CAPEC-592",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-592 Stored XSS"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-02-01T11:00:07.700Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/icegram/wordpress-icegram-engage-plugin-3-1-19-cross-site-scripting-xss-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;3.1.20 or a higher version."
}
],
"value": "Update to\u00a03.1.20 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Icegram Plugin \u003c= 3.1.19 is vulnerable to Cross Site Scripting (XSS)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-51532",
"datePublished": "2024-02-01T11:00:07.700Z",
"dateReserved": "2023-12-20T18:46:01.364Z",
"dateUpdated": "2024-08-02T22:40:33.180Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2023-52119 (GCVE-0-2023-52119)
Vulnerability from cvelistv5
Published
2024-01-05 09:28
Modified
2025-05-23 16:03
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-352 - Cross-Site Request Forgery (CSRF)
Summary
Cross-Site Request Forgery (CSRF) vulnerability in Icegram Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building.This issue affects Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building: from n/a through 3.1.18.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icegram | Icegram Engage – WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building |
Version: n/a < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T22:48:12.474Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/icegram/wordpress-icegram-engage-plugin-3-1-18-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2023-52119",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-08T15:57:14.428681Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-23T16:03:25.681Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "icegram",
"product": "Icegram Engage \u2013 WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building",
"vendor": "Icegram",
"versions": [
{
"changes": [
{
"at": "3.1.19",
"status": "unaffected"
}
],
"lessThanOrEqual": "3.1.18",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Brandon Roldan (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Icegram Icegram Engage \u2013 WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building.\u003cp\u003eThis issue affects Icegram Engage \u2013 WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building: from n/a through 3.1.18.\u003c/p\u003e"
}
],
"value": "Cross-Site Request Forgery (CSRF) vulnerability in Icegram Icegram Engage \u2013 WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building.This issue affects Icegram Engage \u2013 WordPress Lead Generation, Popup Builder, CTA, Optins and Email List Building: from n/a through 3.1.18.\n\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352 Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-05T09:28:10.115Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/icegram/wordpress-icegram-engage-plugin-3-1-18-cross-site-request-forgery-csrf-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;3.1.19 or a higher version."
}
],
"value": "Update to\u00a03.1.19 or a higher version."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Icegram Plugin \u003c= 3.1.18 is vulnerable to Cross Site Request Forgery (CSRF)",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2023-52119",
"datePublished": "2024-01-05T09:28:10.115Z",
"dateReserved": "2023-12-28T11:38:51.767Z",
"dateUpdated": "2025-05-23T16:03:25.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-45810 (GCVE-0-2022-45810)
Vulnerability from cvelistv5
Published
2023-11-07 16:50
Modified
2025-02-19 21:19
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1236 - Improper Neutralization of Formula Elements in a CSV File
Summary
Improper Neutralization of Formula Elements in a CSV File vulnerability in Icegram Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce.This issue affects Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce: from n/a through 5.5.2.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icegram | Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce |
Version: n/a < |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-03T14:24:00.962Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"tags": [
"vdb-entry",
"x_transferred"
],
"url": "https://patchstack.com/database/vulnerability/email-subscribers/wordpress-icegram-express-email-subscribers-newsletters-and-marketing-automation-plugin-plugin-5-5-2-csv-injection?_s_id=cve"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-45810",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-02-19T21:12:00.635680Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-02-19T21:19:35.808Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "email-subscribers",
"product": "Icegram Express \u2013 Email Marketing, Newsletters and Automation for WordPress \u0026 WooCommerce",
"vendor": "Icegram",
"versions": [
{
"changes": [
{
"at": "5.5.3",
"status": "unaffected"
}
],
"lessThanOrEqual": "5.5.2",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "Mika (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Icegram Icegram Express \u2013 Email Marketing, Newsletters and Automation for WordPress \u0026amp; WooCommerce.\u003cp\u003eThis issue affects Icegram Express \u2013 Email Marketing, Newsletters and Automation for WordPress \u0026amp; WooCommerce: from n/a through 5.5.2.\u003c/p\u003e"
}
],
"value": "Improper Neutralization of Formula Elements in a CSV File vulnerability in Icegram Icegram Express \u2013 Email Marketing, Newsletters and Automation for WordPress \u0026 WooCommerce.This issue affects Icegram Express \u2013 Email Marketing, Newsletters and Automation for WordPress \u0026 WooCommerce: from n/a through 5.5.2.\n\n"
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1236",
"description": "CWE-1236 Improper Neutralization of Formula Elements in a CSV File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2023-11-07T16:50:04.184Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/vulnerability/email-subscribers/wordpress-icegram-express-email-subscribers-newsletters-and-marketing-automation-plugin-plugin-5-5-2-csv-injection?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update to\u0026nbsp;5.5.3 or a higher version"
}
],
"value": "Update to\u00a05.5.3 or a higher version"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress Email Subscribers \u0026 Newsletters Plugin \u003c= 5.5.2 is vulnerable to CSV Injection",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2022-45810",
"datePublished": "2023-11-07T16:50:04.184Z",
"dateReserved": "2022-11-23T07:45:38.347Z",
"dateUpdated": "2025-02-19T21:19:35.808Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}