WordPress Plugin Vulnerability Report – Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce – Authenticated Directory Traversal – CVE-2023-5414

Plugin Name: Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce

Key Information:

  • Software Type: Plugin
  • Software Slug: email-subscribers
  • Software Status: Active
  • Software Author: icegram
  • Software Downloads: 9,788,187
  • Active Installs: 100,000
  • Last Updated: October 11, 2023
  • Patched Versions: 5.6.24
  • Affected Versions: <= 5.6.23

Vulnerability Details:

  • Name: Icegram Express <= 5.6.23 - Authenticated (Administrator+) Directory Traversal to Arbitrary File Read
  • Type: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
  • CVE: CVE-2023-5414
  • CVSS Score: 9.1
  • Publicly Published: October 11, 2023
  • Researcher: Marco Wotschka
  • Description: The Icegram Express plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 5.6.23 via the show_es_logs function. This allows administrator-level attackers to read the contents of arbitrary files on the server, which can contain sensitive information, including those belonging to other sites, for example in shared hosting environments.
  • References:
    • Wordfence Threat Intel Report
    • WordPress Plugins Directory


The Icegram Express plugin for WordPress has a vulnerability in versions up to and including 5.6.23 that allows administrator-level attackers to perform Directory Traversal attacks. This vulnerability has been patched in version 5.6.24.

Detailed Overview:

The identified vulnerability in the Icegram Express plugin is a Directory Traversal issue, which means that an attacker with administrator-level access can navigate through directories on the server and potentially read sensitive files. This is a critical security risk, especially in shared hosting environments, where multiple websites share the same server.

The high CVSS score of 9.1 indicates the severe nature of this vulnerability. If exploited, it could lead to unauthorized access to sensitive data and compromise the security of affected websites.

Vulnerability Remediation:

  1. Immediate Action: Site administrators are strongly advised to update the Icegram Express plugin to the patched version 5.6.24 immediately.
  2. Check for Signs of Vulnerability: Administrators should monitor their websites for any unusual or unauthorized activities, such as unexpected file access or changes to system files.
  3. Consider Alternatives: While a patch is available, website owners may want to explore alternative plugins that offer similar functionality to mitigate risks.
  4. Stay Updated: Regularly update all WordPress plugins, themes, and core software to the latest versions to prevent vulnerabilities.


The prompt response from the plugin developers in releasing a patch for this critical vulnerability underscores the importance of timely updates. To secure their WordPress installations, users are strongly urged to update the Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce plugin to version 5.6.24 or later. This proactive approach will help protect websites from potential security threats and maintain a secure online presence.


Detailed Report:

Keeping your WordPress website secure should be a top priority for any business owner, but it can be difficult to stay on top of the latest threats. Unfortunately, a severe vulnerability was recently discovered in a widely used WordPress plugin, Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce, that puts websites at risk. This plugin, which has over 9 million downloads and an estimated 100,000 active installs, is vulnerable to a critical authenticated directory traversal flaw tracked as CVE-2023-5414.

According to the vulnerability report, versions up to and including 5.6.23 of Icegram Express contain the security flaw which allows authenticated users with at least administrator access to traverse directories and read arbitrary files on the server. This issue received a severity score of 9.1 out of 10 on the CVSS scale, indicating its high risk level.

Successful exploitation of this vulnerability could have serious consequences, especially on shared hosting environments. Attackers could leverage it to access and exfiltrate sensitive data from other sites hosted on the same server. This could lead to a complete compromise of your website, unauthorized access to customer information, and other impacts.

The good news is that the developers have released version 5.6.24 which addresses this vulnerability. As a website owner, you should update to the latest secure version as soon as possible. You should also monitor your site closely for any suspicious activity and consider migrating to alternative plugins to mitigate risks from this plugin.

This is not the first vulnerability uncovered in this plugin. In fact, there have been 17 previous vulnerabilities reported since 2015, which highlights the importance of staying vigilant and promptly updating WordPress, plugins, and themes whenever new versions are released.

Keeping your website secure from the latest threats can be challenging for small business owners with limited time and resources. However, being proactive about updates and monitoring for unusual activities can go a long way in keeping your site safe from attacks. Don't hesitate to seek expert help to ensure your WordPress site stays secure. The risks are far too great to let vulnerabilities slip through the cracks.

Staying on top of WordPress security can feel overwhelming for small business owners without dedicated IT staff. At Your WP Guy, we exist to shoulder that burden for you. Our WordPress experts can fully audit, secure, maintain and support your site - so you can focus on growing your business with peace of mind.

Don't tackle security risks alone. Let us help you assess any impact from this vulnerability, update your plugins, and implement ongoing maintenance to avoid future threats. We treat your website like it's our own - because we know how critical it is for reaching your customers.

Get in touch for a free consultation today on making WordPress security stress-free. Call 678-995-5169 or book a call here. Our knowledgeable team is ready to help you safeguard your online presence.

WordPress Plugin Vulnerability Report – Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce – Authenticated Directory Traversal – CVE-2023-5414 FAQs

Leave a Comment