CVE-2024-4295: Critical Vulnerability in Popular WordPress Plugin Exposes 90K+ Sites

A critical security flaw has been uncovered in the popular WordPress plugin, Email Subscribers by Icegram Express. This vulnerability, designated as CVE-2024-4295, carries a severity rating of 9.8 (CVSS), making it a prime target for exploitation.

The vulnerability is an unauthenticated SQL Injection flaw, which allows attackers to inject malicious code into the plugin’s database queries. This could lead to the exposure of sensitive information, including user data and website credentials. With over 90,000 active installations, the potential impact of this vulnerability is significant.

Security researcher 1337_Wannabe is credited with discovering the CVE-2024-4295 flaw, which stems from insufficient escaping of user-supplied via the ‘hash’ parameter and a lack of proper preparation in existing SQL queries. This oversight opens the door for attackers to append their own SQL commands, potentially wreaking havoc on affected websites.

If you are using the Email Subscribers by Icegram Express plugin, immediate action is crucial.

1. Update Immediately: Update your plugin to the latest version (5.7.21 or later) as soon as possible. This version contains a patch that addresses the SQL injection vulnerability.
2. Review Your Data: Check your website’s database for any signs of unauthorized access or data modification.
3. Implement Security Measures: Consider implementing additional security measures, such as web application firewalls and intrusion detection systems, to further protect your website.