Stored Cross-Site Scripting in Email Subscribers by Icegram Express Plugin for WordPress
CVE-2024-11636
Key Information:
- Vendor
- Wordpress
- Vendor
- CVE Published:
- 13 January 2025
Badges
Summary
The Email Subscribers by Icegram Express plugin for WordPress prior to version 5.7.45 suffers from a vulnerability due to improper sanitization and escaping of certain Text Block options. This oversight can be exploited by high-privilege users, such as administrators, to execute Stored Cross-Site Scripting (XSS) attacks, even in environments where unfiltered_html capability is restricted, such as multisite setups. This vulnerability poses a significant risk, facilitating the injection of malicious scripts that could compromise the integrity of the site.
Affected Version(s)
Email Subscribers by Icegram Express 0 < 5.7.45
Exploit Proof of Concept (PoC)
PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.
References
CVSS V3.1
Timeline
- 🟡
Public PoC available
- 👾
Exploit known to exist
Vulnerability published
Vulnerability Reserved