CVE-2024-2876: Critical Security Flaw Impacts Popular WordPress Email Marketing Plugin
A severe security vulnerability impacting the popular “Email Subscribers by Icegram Express” WordPress plugin has been discovered. The flaw, designated as CVE-2024-2876 and carrying a critical CVSS score of 9.8, allows unauthenticated attackers to inject malicious code into WordPress sites using the plugin.
The Threat
This SQL injection vulnerability could allow hackers to extract sensitive data from the WordPress database. This data could include:
- Usernames and email addresses
- Password hashes (potentially leading to account compromise)
- Subscriber lists
- Other website-specific information
How It Works
The CVE-2024-2876 vulnerability exists in the “run” function within the plugin’s IG_ES_Subscribers_Query class. Attackers can exploit this by manipulating user input, effectively tricking the plugin into executing additional unauthorized SQL code upon the website’s database.
Affected Websites
Any WordPress website running an unpatched version of the Email Subscribers by Icegram Express plugin (up to version 5.7.14) is potentially vulnerable. With over 90,000 active installations, this flaw could have widespread ramifications.
Urgent Action Required
Website owners using the Email Subscribers by Icegram Express plugin are strongly urged to update to version 5.7.15 or newer immediately, where the security patch has been implemented. Failure to do so leaves websites at significant risk of data compromise.
Protecting Yourself
Beyond updating the plugin, website administrators should be vigilant and consider these security measures:
- Regular Updates: Ensure all WordPress plugins and themes are up-to-date.
- Security Plugins: Consider installing reputable security plugins to help protect against attacks like SQL injection attempts.
- Strong Passwords: Enforce the use of strong, unique passwords for all WordPress users.
