A critical SQL injection vulnerability has been discovered in the Email Subscribers by Icegram Express WordPress plugin. This plugin, which is designed for email marketing and newsletter management, has over 90,000 active installations
The vulnerability, discovered by security researcher Arkadiusz Hydzik during Wordfence’s Bug Bounty Extravaganza, allowed unauthenticated attackers to inject malicious SQL queries and potentially extract sensitive data, including password hashes, from the database.
The SQL injection vulnerability affected all versions of the Email Subscribers by Icegram Express WordPress plugin up to and including version 5.7.14. This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2024-2876 and received a critical CVSS score of 9.8 out of 10. The CVE identifier is a unique code assigned to publicly disclosed cybersecurity vulnerabilities, allowing for standardized tracking and information sharing within the security community. The high CVSS score reflects the severity of the vulnerability, as it could potentially enable unauthenticated attackers to extract sensitive information from the website’s database, posing a significant risk to the affected websites.
If you use the Email Subscribers plugin, it’s important to update to the latest version (5.7.15) as soon as possible. This update fixes the vulnerability and protects your website.