Icegram Email Subscribers by Icegram Express
Moderate fix1 remedy
cpe:2.3:a:icegram:email_subscribers_&_newsletters:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 5.9.16
Email Subscribers by Icegram Express WordPress Plugin SQL Injection Vulnerability
Vulnerability
Patched
A SQL injection vulnerability has been identified in the Email Subscribers by Icegram Express plugin for WordPress, affecting all versions through 5.9.16. The issue arises from inadequate escaping of user-supplied data in the 'workflow_ids' parameter, allowing authenticated attackers with administrator privileges to inject additional SQL queries. This exploitation could lead to unauthorized access to sensitive database information.
Impact
Exploitation of this vulnerability allows authenticated administrators to execute arbitrary SQL commands, potentially leading to extraction or manipulation of database information. In a proof-of-concept, the vulnerability was used to extract the password hash of an admin user.
Reproduction
To reproduce this vulnerability, an authenticated user with administrator privileges can send a request to the WordPress AJAX endpoint 'wp_ajax_icegram-express' with the 'workflow_ids' parameter. The injected SQL payload can be crafted to extract sensitive information from the database, such as user password hashes.
Remediation
Users are advised to update the Email Subscribers by Icegram Express plugin to version 5.9.17 or later.
Added: Mar 4, 2026, 2:24 AM
Updated: Mar 4, 2026, 2:24 AM
Vulnerability Rating
Custom Algorithm
spread
3.4impact
3.1exploitability
6.3remediation
7.7relevance
3.5threat
6.4urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.