Email Subscribers by Icegram Express Vulnerability – Unauthenticated SQL Injection via hash – CVE-2024-4295 | WordPress Plugin Vulnerability Report

Plugin Name: Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce

Key Information:

  • Software Type: Plugin
  • Software Slug: email-subscribers
  • Software Status: Active
  • Software Author: icegram
  • Software Downloads: 10,659,578
  • Active Installs: 90,000
  • Last Updated: June 18, 2024
  • Patched Versions: 5.7.21
  • Affected Versions: <= 5.7.20

Vulnerability Details:

  • Name: Email Subscribers by Icegram Express <= 5.7.20
  • Title: Unauthenticated SQL Injection via hash
  • Type: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • CVE: CVE-2024-4295
  • CVSS Score: 9.8
  • Publicly Published: June 4, 2024
  • Researcher: 1337_Wannabe
  • Description: The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘hash’ parameter in versions up to 5.7.20. This vulnerability arises from insufficient input validation and escaping on user-supplied parameters, allowing unauthenticated attackers to inject malicious SQL queries. Exploitation of this flaw could lead to unauthorized access to sensitive information stored in the website’s database.

Summary:

The Email Subscribers by Icegram Express plugin for WordPress has a vulnerability in versions up to and including 5.7.20 that allows unauthenticated attackers to execute SQL Injection attacks via the ‘hash’ parameter. This vulnerability has been patched in version 5.7.21.

Detailed Overview:

The SQL Injection vulnerability in Email Subscribers by Icegram Express, discovered by researcher 1337_Wannabe, stems from improper handling of user input in the ‘hash’ parameter. By exploiting this flaw, attackers can manipulate SQL queries to extract sensitive data from the database, posing significant risks to website security and user privacy. Immediate updating to version 5.7.21 or later is strongly advised to mitigate this vulnerability. Site administrators should also conduct a thorough security audit to ensure no unauthorized access or data breaches have occurred.

Advice for Users:

  • Immediate Action: Update Email Subscribers by Icegram Express to version 5.7.21 or newer immediately.
  • Check for Signs of Vulnerability: Monitor database logs for any unusual queries or unauthorized access attempts.
  • Alternate Plugins: Consider temporarily disabling or switching to alternative plugins offering similar functionalities until Email Subscribers by Icegram Express is updated and verified secure.
  • Stay Updated: Regularly update all WordPress plugins and themes to their latest versions to avoid vulnerabilities and maintain site security.

Conclusion:

The swift response from Icegram in releasing version 5.7.21 underscores the importance of prompt updates in mitigating potential security risks. Website administrators are urged to ensure their installations are running version 5.7.21 or later to safeguard against SQL Injection and other vulnerabilities.

References:

Detailed Report: 

In the ever-evolving landscape of cybersecurity, vigilance is key to safeguarding your WordPress website. Recently, a critical vulnerability has surfaced in the Email Subscribers by Icegram Express plugin, identified as CVE-2024-4295. This flaw allows unauthenticated attackers to exploit SQL Injection via the plugin’s ‘hash’ parameter, potentially compromising sensitive database information. With over 90,000 active installations and 10,659,578 downloads, the impact of such vulnerabilities underscores the imperative of proactive security measures.

Risks/Potential Impacts of the Vulnerability:

The SQL Injection vulnerability poses significant risks to website security and user privacy. Attackers can exploit this flaw to execute arbitrary SQL queries, potentially accessing or modifying sensitive data within the website’s database. This could lead to data breaches, loss of confidential information, and damage to the website’s reputation.

How to Remediate the Vulnerability:

Immediate action is crucial. Update the Email Subscribers by Icegram Express plugin to version 5.7.21 or newer immediately. This patched version addresses the SQL Injection vulnerability and enhances the plugin’s security measures. Additionally, conduct a thorough security audit to ensure no unauthorized access or data breaches have occurred.

Overview of Previous Vulnerabilities:

Since August 10, 2015, Email Subscribers by Icegram Express has faced 24 previous vulnerabilities, highlighting the importance of staying updated with plugin updates and security patches.

Conclusion:

Staying on top of security vulnerabilities like CVE-2024-4295 is paramount for website owners, particularly those running small businesses with limited time for technical details. Prompt updates and regular monitoring of plugin vulnerabilities are essential practices to mitigate risks and maintain website security. By prioritizing security updates and adopting proactive measures, you can safeguard your WordPress site against potential threats and ensure a secure online presence

Staying Secure

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

Email Subscribers by Icegram Express Vulnerability – Unauthenticated SQL Injection via hash – CVE-2024-4295 | WordPress Plugin Vulnerability Report FAQs

Leave a Comment