Platform
wordpress
Component
email-subscribers
Fixed in
5.7.21
CVE-2024-4295 is a critical SQL Injection vulnerability affecting the Email Subscribers by Icegram Express plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to data exfiltration and compromise of the WordPress database. The vulnerability impacts versions up to and including 5.7.20. A patch is available; upgrading is the recommended remediation.
The SQL Injection vulnerability in Email Subscribers by Icegram Express poses a significant threat to WordPress websites utilizing the plugin. An attacker can exploit this flaw by manipulating the ‘hash’ parameter to inject arbitrary SQL code into existing queries. Successful exploitation could allow an attacker to extract sensitive information stored in the database, such as user credentials, email addresses, and other personal data. Depending on database permissions, an attacker might even be able to modify or delete data, leading to website defacement or complete data loss. This vulnerability is particularly concerning given the plugin's popularity and the potential for widespread exploitation.
CVE-2024-4295 was publicly disclosed on June 5, 2024. While no active exploitation campaigns have been definitively confirmed at the time of writing, the CRITICAL severity and ease of exploitation suggest a high probability of exploitation. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge, increasing the risk of widespread attacks.
Exploit Status
EPSS
92.80% (100% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-4295 is to immediately upgrade the Email Subscribers by Icegram Express plugin to a version beyond 5.7.20, where the vulnerability has been addressed. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily disabling the plugin to prevent exploitation. While not a complete solution, implementing a Web Application Firewall (WAF) with SQL Injection protection rules can provide an additional layer of defense. Carefully review and sanitize all user inputs within the plugin's code if custom modifications have been made.
Update the Email Subscribers by Icegram Express plugin to the latest available version. The (SQL Injection) vulnerability was fixed in versions later than 5.7.20. This will prevent unauthenticated attackers from executing malicious (SQL) queries on your database.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-4295 is a critical SQL Injection vulnerability in the Email Subscribers by Icegram Express WordPress plugin, allowing attackers to extract data.
You are affected if you are using Email Subscribers by Icegram Express version 5.7.20 or earlier. Check your plugin version immediately.
Upgrade the Email Subscribers by Icegram Express plugin to a version greater than 5.7.20. If upgrading is not possible, disable the plugin temporarily.
While no confirmed active exploitation campaigns are known, the vulnerability's severity and ease of exploitation suggest a high risk of future attacks.
Check the Icegram Express website and WordPress plugin repository for official security advisories and updates related to CVE-2024-4295.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.