प्लेटफ़ॉर्म
wordpress
घटक
email-subscribers
में ठीक किया गया
5.7.15
CVE-2024-2876 is a critical SQL Injection vulnerability affecting the Email Subscribers by Icegram Express plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to unauthorized data access and manipulation. The vulnerability impacts versions up to and including 5.7.14. A patch is available; immediate action is recommended.
The SQL Injection vulnerability in Email Subscribers plugin allows attackers to bypass authentication and directly interact with the WordPress database. Successful exploitation could result in the extraction of sensitive information such as user credentials, email addresses, subscriber lists, and potentially even WordPress configuration details. Attackers could also modify or delete data, leading to data loss and website disruption. Given the plugin's function as an email marketing tool, compromised subscriber lists could be used for spam campaigns or sold on the dark web. The impact is particularly severe for sites using this plugin to manage sensitive user data.
CVE-2024-2876 was publicly disclosed on May 2, 2024. Public proof-of-concept exploits are likely to emerge given the vulnerability's severity and ease of exploitation. The high CVSS score indicates a significant risk. Monitor security advisories and threat intelligence feeds for any indications of active exploitation campaigns targeting this vulnerability.
WordPress websites utilizing the Email Subscribers by Icegram Express plugin, particularly those with sensitive user data or those running older, unpatched versions (≤5.7.14), are at significant risk. Shared hosting environments where multiple websites share the same database are also at increased risk, as a compromise of one site could potentially lead to the compromise of others.
• wordpress / composer / npm:
grep -r "IG_ES_Subscribers_Query::run" /var/www/html/wp-content/plugins/email-subscribers-by-icegram-express/• generic web:
curl -I https://your-wordpress-site.com/wp-content/plugins/email-subscribers-by-icegram-express/ | grep SQL• wordpress / composer / npm:
wp plugin list | grep "Email Subscribers by Icegram Express"disclosure
एक्सप्लॉइट स्थिति
EPSS
91.28% (100% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation is to immediately update the Email Subscribers by Icegram Express plugin to a version higher than 5.7.14, where the vulnerability has been addressed. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) with rules to filter out potentially malicious SQL queries targeting the 'run' function of the 'IGESSubscribers_Query' class. Carefully review and sanitize all user inputs before incorporating them into SQL queries. Implement strict access controls to limit database access to authorized users and applications only.
Actualice el plugin Email Subscribers by Icegram Express a la última versión disponible. La versión corregida incluye medidas de seguridad para prevenir la inyección SQL.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2024-2876 is a critical SQL Injection vulnerability in the Email Subscribers by Icegram Express WordPress plugin, allowing attackers to extract sensitive data from the database.
You are affected if you are using Email Subscribers by Icegram Express plugin version 5.7.14 or earlier. Check your plugin version and update immediately.
Update the Email Subscribers by Icegram Express plugin to a version higher than 5.7.14. Consider WAF rules as a temporary mitigation.
While no active exploitation has been confirmed, the high severity and ease of exploitation suggest active exploitation is likely.
Refer to the Icegram Express website and WordPress plugin repository for the latest advisory and update information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।