Platform
wordpress
Component
email-subscribers
Fixed in
5.7.26
CVE-2024-6172 describes a critical SQL Injection vulnerability discovered in the Email Subscribers by Icegram Express plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to data exfiltration and compromise of the WordPress database. The vulnerability affects versions up to and including 5.7.25. A patch is available from the vendor.
The SQL Injection vulnerability in Email Subscribers plugin allows attackers to manipulate database queries directly. An attacker could leverage this to extract sensitive information such as user credentials (usernames, passwords, email addresses), customer data, and potentially even WordPress administrative details. Successful exploitation could lead to complete database compromise, allowing attackers to modify data, gain unauthorized access to the WordPress backend, and potentially escalate their control over the entire website. The impact is particularly severe given the plugin's function of managing email subscribers, often containing personally identifiable information (PII).
CVE-2024-6172 was publicly disclosed on July 2, 2024. While no active exploitation campaigns have been definitively confirmed, the critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature and the plugin's popularity.
Exploit Status
EPSS
2.30% (85% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-6172 is to immediately upgrade the Email Subscribers plugin to a version patched against this vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the vulnerable parameter ('db') using a WordPress firewall (WAF) or by implementing input validation rules. While not a complete solution, this can reduce the attack surface. Monitor WordPress access logs for suspicious SQL queries targeting the plugin's functionality. After upgrading, confirm the fix by attempting a SQL injection payload through the 'db' parameter and verifying that it is properly sanitized.
Update the Email Subscribers by Icegram Express plugin to the latest version. Version 5.7.26 or higher fixes this (SQL Injection) vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-6172 is a critical SQL Injection vulnerability affecting the Email Subscribers plugin for WordPress, allowing attackers to extract sensitive data.
You are affected if you are using Email Subscribers plugin versions 5.7.25 or earlier. Check your plugin version and upgrade immediately.
Upgrade the Email Subscribers plugin to the latest version available from the WordPress plugin repository. Consider temporary WAF rules if immediate upgrade is not possible.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation suggest it is a high-priority target.
Refer to the Icegram Express website and the WordPress plugin repository for the latest advisory and patched version.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.