SQL Injection Vulnerability in Icegram Express Email Marketing Plugin for WordPress & WooCommerce
CVE-2024-6172

9.8CRITICAL

Key Information:

Vendor: WordPress
Status: Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin For WordPress
Vendor: CVE Published:; 2 July 2024

What is CVE-2024-6172?

The Email Subscribers by Icegram Express plugin for WordPress and WooCommerce is susceptible to a time-based SQL Injection vulnerability. This issue arises due to inadequate escaping of the 'db' parameter and insufficient query preparation, allowing unauthenticated attackers to inject additional SQL queries. Exploiting this vulnerability could enable attackers to retrieve sensitive information from the database by appending malicious SQL commands to existing queries, posing a significant risk to the integrity and confidentiality of user data.

Affected Version(s)

Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress 0 <= 5.7.25

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/email-subscrib...

https://plugins.trac.wordpress.org/changeset/3107964/emai...

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 2, 2024

CVE-2024-6172 Data

JSON