Directory Traversal Vulnerability in Icegram Express Plugin for WordPress
CVE-2023-5414

7.2HIGH

Key Information:

Vendor
Wordpress
Status
Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce
Vendor
CVE Published:
20 October 2023

Summary

The Icegram Express plugin for WordPress is susceptible to a directory traversal vulnerability through its show_es_logs function. This flaw enables attackers with administrator-level access to navigate the server's file system and read arbitrary files, potentially exposing sensitive data from other sites, particularly in shared hosting scenarios. Organizations using this plugin should take immediate action to mitigate associated risks.

Affected Version(s)

Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce * <= 5.6.23

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://plugins.trac.wordpress.org/browser/email-subscrib...
https://plugins.trac.wordpress.org/changeset?sfp_email=&s...

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Marco Wotschka
.