Email Subscribers by Icegram Express Vulnerability – Authenticated (Administrator+) Cross-Site Scripting & Missing Authorization – CVE-2024-2656 & CVE-2024-31352 | WordPress Plugin Vulnerability Report

Plugin Name: Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce

Key Information:

  • Software Type: Plugin
  • Software Slug: email-subscribers
  • Software Status: Active
  • Software Author: icegram
  • Software Downloads: 10,401,859
  • Active Installs: 90,000
  • Last Updated: April 15, 2024
  • Patched Versions: 5.7.16
  • Affected Versions: <= 5.7.15

Vulnerability Details:

  1. Name: Icegram Express <= 5.7.14
    • Title: Authenticated (Administrator+) Cross-Site Scripting via CSV import
    • Type: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N
    • CVE: CVE-2024-2656
    • CVSS Score: 4.4
    • Publicly Published: April 5, 2024
    • Researcher: Peter17
    • Description: The plugin is vulnerable to Stored Cross-Site Scripting via a CSV import due to insufficient input sanitization and output escaping. This vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts in pages, which execute whenever a user accesses an injected page.
  2. Name: Email Subscribers & Newsletters <= 5.7.13
    • Title: Missing Authorization
    • Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
    • CVE: CVE-2024-31352
    • CVSS Score: 5.3
    • Publicly Published: April 5, 2024
    • Researcher: Mika
    • Description: The plugin is vulnerable to unauthorized access due to a missing capability check. This vulnerability allows unauthenticated attackers to perform unauthorized actions.


The Email Subscribers by Icegram Express plugin for WordPress has vulnerabilities in versions up to and including 5.7.15 that expose it to cross-site scripting and unauthorized access issues. These vulnerabilities have been patched in version 5.7.16.

Detailed Overview:

The plugin suffered from two significant vulnerabilities: Cross-Site Scripting via CSV import and Missing Authorization. The Cross-Site Scripting vulnerability was particularly dangerous in multi-site installations and those without unfiltered_html enabled, permitting attackers to execute scripts under specific conditions. The Missing Authorization vulnerability allowed for unauthorized actions without the need for authentication. Both issues have been addressed by the developers in the latest patch.

Advice for Users:

  • Immediate Action: Update to version 5.7.16 immediately.
  • Check for Signs of Vulnerability: Regularly review your site logs and user roles for any unusual activities.
  • Alternate Plugins: While a patch is available, consider using alternative plugins offering similar functionality as a precaution.
  • Stay Updated: Always ensure that your plugins are updated to the latest versions to avoid vulnerabilities.


The prompt response from the plugin developers to patch these vulnerabilities underscores the importance of timely updates. Users are advised to ensure that they are running version 5.7.16 or later to secure their WordPress installations.


Detailed Report: 


In today’s digital landscape, the security of your website cannot be taken lightly. A recent discovery of critical vulnerabilities in a popular WordPress plugin—Email Subscribers by Icegram Express—serves as a stark reminder. This plugin, integral for email marketing and automation for WordPress & WooCommerce, is used actively on over 90,000 sites. The identified vulnerabilities, if exploited, could compromise your site’s integrity and the trust of your visitors.

Plugin Overview

Plugin Name: Email Subscribers by Icegram Express
Key Features: Email marketing, newsletters, automation
Active Installs: 90,000
Software Downloads: 10,401,859
Last Updated: April 15, 2024
Current Version: 5.7.16

Vulnerability Details

  • CVE-2024-2656 (Cross-Site Scripting via CSV import): This vulnerability allows authenticated administrators to execute arbitrary scripts through CSV file imports. It affects all plugin versions up to and including 5.7.14.
  • CVE-2024-31352 (Missing Authorization): This flaw enables unauthenticated users to perform unauthorized actions due to missing capability checks. It affects versions up to and including 5.7.13.

These vulnerabilities were publicly disclosed on April 5, 2024, highlighting issues ranging from stored cross-site scripting to unauthorized access, posing serious security threats particularly in multi-site installations.

Risks and Potential Impacts

The cross-site scripting vulnerability could allow attackers to manipulate web pages or steal confidential information whenever a user accesses a compromised page. The missing authorization issue could enable attackers to alter site content or functionalities unauthorizedly. Such breaches can lead to loss of customer trust, data theft, and even legal consequences.

Remediation Steps

Immediate Actions:

  1. Update to Version 5.7.16: This version patches the vulnerabilities. Access your WordPress dashboard > Plugins > Update.

  2. Audit Your Site: Check logs and user roles for unusual activities that might indicate exploitation.
  3. Consult a Professional: If unsure, seek professional help to ensure your site is secure.

Preventive Measures:

  • Regularly update your plugins and WordPress core.
  • Use strong, unique passwords for all user accounts.
  • Implement security plugins that limit login attempts and scan for malware.

Historical Vulnerability Overview

Since August 10, 2015, the Email Subscribers plugin has encountered 19 reported vulnerabilities. This history underscores the importance of regular updates and vigilance.


For small business owners, juggling daily operations with website maintenance can be daunting. However, neglecting the latter could result in severe repercussions. Implementing rigorous update routines and security checks can protect not just your digital assets but your business reputation. Remember, security is not a one-time task but an ongoing process to safeguard your digital presence against evolving threats.

Final Thoughts

Staying proactive with website security is crucial. By keeping your software updated and being aware of potential vulnerabilities, you can significantly mitigate risks and ensure your website remains a secure and reliable resource for your customers.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Email Subscribers by Icegram Express Vulnerability – Authenticated (Administrator+) Cross-Site Scripting & Missing Authorization – CVE-2024-2656 & CVE-2024-31352 | WordPress Plugin Vulnerability Report FAQs

What are CVE-2024-2656 and CVE-2024-31352?

CVE-2024-2656 is a vulnerability in the Email Subscribers by Icegram Express plugin, allowing authenticated users with administrative rights to execute arbitrary scripts via CSV file imports. CVE-2024-31352 allows unauthenticated users to perform unauthorized actions due to a missing capability check in the plugin. Both vulnerabilities can significantly compromise the security of a WordPress site, particularly in environments where stringent user controls are not enforced.

Leave a Comment