Platform
wordpress
Component
email-subscribers
Fixed in
5.6.24
CVE-2023-5414 is a critical directory traversal vulnerability affecting the Icegram Express plugin for WordPress. This flaw allows authenticated attackers with administrator privileges to read arbitrary files on the server, potentially exposing sensitive information. The vulnerability impacts versions of Icegram Express up to and including 5.6.23. A patch is available, and users are strongly advised to upgrade immediately.
The directory traversal vulnerability in Icegram Express allows an authenticated administrator to bypass intended file access restrictions. By manipulating the showeslogs function, an attacker can craft requests that read files outside of the plugin's designated directory. This poses a significant risk, particularly in shared hosting environments where multiple websites reside on the same server. Sensitive data such as database credentials, configuration files, or even code from other websites could be exposed. The impact is amplified by the plugin's widespread use and the potential for automated exploitation.
CVE-2023-5414 was publicly disclosed on 2023-10-20. While no active exploitation campaigns have been definitively confirmed, the vulnerability's critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread exploitation.
Exploit Status
EPSS
2.09% (84% percentile)
CVSS Vector
The primary mitigation for CVE-2023-5414 is to upgrade Icegram Express to a version that addresses the vulnerability. The vendor has released a patch, so ensure you are using the latest available version. If immediate upgrading is not possible due to compatibility issues or breaking changes, consider temporarily restricting access to the showeslogs function through server-level configuration (e.g., .htaccess rules for Apache) or a web application firewall (WAF). Monitor server logs for suspicious file access attempts. After upgrading, confirm the fix by attempting to access a non-existent file via the vulnerable endpoint and verifying that access is denied.
Update the Icegram Express plugin to the latest available version. Version 5.6.24 or higher corrects this directory traversal vulnerability. This will prevent attackers with administrator privileges from reading arbitrary files on the server.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2023-5414 is a critical vulnerability in Icegram Express WordPress plugin allowing attackers to read arbitrary files on the server.
You are affected if you are using Icegram Express version 5.6.23 or earlier. Check your plugin version and upgrade immediately.
Upgrade Icegram Express to the latest version that addresses the vulnerability. If immediate upgrade is not possible, implement temporary workarounds like WAF rules.
While no confirmed active exploitation campaigns are known, the vulnerability's severity makes it a likely target for attackers.
Refer to the Icegram Express website and WordPress plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.