Platform
wordpress
Component
email-subscribers
Opgelost in
5.7.26
CVE-2024-6172 describes a critical SQL Injection vulnerability discovered in the Email Subscribers by Icegram Express plugin for WordPress. This flaw allows unauthenticated attackers to inject malicious SQL queries, potentially leading to data exfiltration and compromise of the WordPress database. The vulnerability affects versions up to and including 5.7.25. A patch is available from the vendor.
The SQL Injection vulnerability in Email Subscribers plugin allows attackers to manipulate database queries directly. An attacker could leverage this to extract sensitive information such as user credentials (usernames, passwords, email addresses), customer data, and potentially even WordPress administrative details. Successful exploitation could lead to complete database compromise, allowing attackers to modify data, gain unauthorized access to the WordPress backend, and potentially escalate their control over the entire website. The impact is particularly severe given the plugin's function of managing email subscribers, often containing personally identifiable information (PII).
CVE-2024-6172 was publicly disclosed on July 2, 2024. While no active exploitation campaigns have been definitively confirmed, the critical severity and ease of exploitation make it a high-priority target. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are likely to emerge given the vulnerability's nature and the plugin's popularity.
Websites utilizing the Email Subscribers by Icegram Express plugin, particularly those running vulnerable versions (≤5.7.25), are at significant risk. Shared hosting environments are especially vulnerable as they often have limited control over plugin updates and security configurations. WordPress sites that rely on the plugin for critical email marketing and newsletter functionalities are also at heightened risk.
• wordpress / composer / npm:
grep -r "db parameter in all versions up to, and including, 5.7.25" /var/www/html/wp-content/plugins/email-subscribers-by-icegram-express/• wordpress / composer / npm:
wp plugin list --status=inactive | grep email-subscribers• wordpress / composer / npm:
wp plugin update --all• generic web: Inspect WordPress access logs for unusual SQL queries related to the Email Subscribers plugin, particularly those involving the 'db' parameter.
disclosure
Exploit Status
EPSS
2.30% (85% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2024-6172 is to immediately upgrade the Email Subscribers plugin to a version patched against this vulnerability. If upgrading is not immediately feasible due to compatibility issues or breaking changes, consider temporarily restricting access to the vulnerable parameter ('db') using a WordPress firewall (WAF) or by implementing input validation rules. While not a complete solution, this can reduce the attack surface. Monitor WordPress access logs for suspicious SQL queries targeting the plugin's functionality. After upgrading, confirm the fix by attempting a SQL injection payload through the 'db' parameter and verifying that it is properly sanitized.
Actualice el plugin Email Subscribers by Icegram Express a la versión más reciente. La versión 5.7.26 o superior corrige esta vulnerabilidad de inyección SQL.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-6172 is a critical SQL Injection vulnerability affecting the Email Subscribers plugin for WordPress, allowing attackers to extract sensitive data.
You are affected if you are using Email Subscribers plugin versions 5.7.25 or earlier. Check your plugin version and upgrade immediately.
Upgrade the Email Subscribers plugin to the latest version available from the WordPress plugin repository. Consider temporary WAF rules if immediate upgrade is not possible.
While no confirmed active exploitation campaigns are publicly known, the vulnerability's severity and ease of exploitation suggest it is a high-priority target.
Refer to the Icegram Express website and the WordPress plugin repository for the latest advisory and patched version.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.