Email Subscribers by Icegram Express Vulnerability – Email Marketing, Newsletters, Automation for WordPress & WooCommerce – Unauthenticated SQL Injection – CVE-2024-2876 | WordPress Plugin Vulnerability Report

Plugin Name: Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce

Key Information:

  • Software Type: Plugin
  • Software Slug: email-subscribers
  • Software Status: Active
  • Software Author: icegram
  • Software Downloads: 10,452,815
  • Active Installs: 90,000
  • Last Updated: April 25, 2024
  • Patched Versions: 5.7.15
  • Affected Versions: <= 5.7.14

Vulnerability Details:

  • Name: Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin <= 5.7.14
  • Title: Unauthenticated SQL Injection
  • Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE: CVE-2024-2876
  • CVSS Score: 9.8
  • Publicly Published: April 15, 2024
  • Researcher: Arkadiusz Hydzik
  • Description: The plugin is vulnerable to SQL Injection through the 'run' function of the 'IG_ES_Subscribers_Query' class due to insufficient input escaping and inadequate SQL query preparation. This flaw allows unauthenticated attackers to manipulate SQL queries and potentially access or alter sensitive database information.


The Email Subscribers by Icegram Express plugin for WordPress has a critical vulnerability in versions up to and including 5.7.14 that allows unauthenticated SQL injection. This vulnerability, posing severe security risks, has been patched in version 5.7.15.

Detailed Overview:

This severe SQL Injection vulnerability, identified by cybersecurity researcher Arkadiusz Hydzik, could allow attackers without any authenticated status to execute arbitrary SQL commands against the website's database. Such actions could result in unauthorized access to personal data of subscribers, manipulation of website data, or even complete takeover of the website, depending on the database's permissions. The vulnerability stems from a fundamental security oversight in the way user inputs were handled within the plugin's querying functions.

Advice for Users:

  • Immediate Action: All users of the plugin should immediately update to the patched version 5.7.15 to prevent potential exploits.
  • Check for Signs of Vulnerability: Administrators should check their websites for any unusual database queries or unauthorized data accesses which might have occurred prior to updating.
  • Alternate Plugins: Users concerned about repeated vulnerabilities in this plugin may consider exploring other reputable email marketing plugins as a precaution.
  • Stay Updated: Regular updates and monitoring of security advisories for active plugins are essential to maintain a secure WordPress environment.


The swift patching of this vulnerability by Icegram highlights the necessity of prompt responses to security threats in maintaining user trust and data integrity. Users are encouraged to regularly update their plugins and to stay informed about potential vulnerabilities to protect their WordPress installations effectively. Continuing to educate oneself about the implications of such vulnerabilities and implementing robust security measures can significantly mitigate risks.


Detailed Report: 

In the dynamic realm of digital commerce and communication, the security of your WordPress website can be compromised by what seems like minor oversights. A stark reminder of this comes from a recent discovery involving the popular "Email Subscribers by Icegram Express" plugin—a tool utilized by over 90,000 websites for email marketing, newsletters, and automation. This plugin was found to have a severe vulnerability, identified as CVE-2024-2876, that allowed unauthenticated SQL injection, posing a high risk to website integrity and user data.

Risks and Potential Impacts

This SQL injection vulnerability could allow attackers to access personal data of subscribers, manipulate website data, or take complete control of the website, depending on the database permissions. The ease of exploiting this vulnerability without needing to authenticate makes it particularly dangerous, posing severe risks to both data security and operational integrity.

Previous Vulnerabilities and Continuous Vigilance

With 21 vulnerabilities reported since August 2015, the history of the Email Subscribers plugin highlights the challenges of maintaining secure software. Each incident underscores the importance of quick responses to security issues and proactive prevention measures.


The quick resolution of CVE-2024-2876 by Icegram underscores the importance of rapid responses to security threats. For small business owners managing WordPress sites, staying vigilant and keeping software updated are not just best practices but essential strategies to protect against sophisticated cyber threats. Regular updates, combined with an active security monitoring routine, are critical in preventing potential disruptions and safeguarding sensitive customer information.

The lesson is clear: in the digital world, the security of your online presence is as crucial as the functionality of your website. Taking the time to regularly review and update your WordPress plugins can save you from potential future crises, ensuring your digital storefront remains secure and trusted by your users.

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Email Subscribers by Icegram Express Vulnerability – Email Marketing, Newsletters, Automation for WordPress & WooCommerce – Unauthenticated SQL Injection – CVE-2024-2876 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment