CVE-2024-6172: Critical Flaw in Icegram Express Plugin Threatens 90,000+ WordPress Sites
A severe vulnerability has been discovered in Icegram Express, a widely used WordPress plugin for email marketing and newsletters. The flaw, designated CVE-2024-6172, has been assigned a near-maximum CVSS score of 9.8, underscoring its critical nature and potential impact on the over 90,000 websites currently relying on the plugin.
The vulnerability, CVE-2024-6172, is a time-based SQL Injection flaw found in the Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin. This security hole exists in all versions up to and including 5.7.25. The flaw stems from insufficient escaping of the user-supplied db parameter and inadequate preparation of existing SQL queries.
An unauthenticated attacker can exploit this vulnerability by injecting malicious SQL queries into the db parameter. Due to the lack of proper sanitization and preparation, these injected queries can manipulate the database, potentially allowing attackers to extract sensitive information, modify data, or even gain administrative control over the affected WordPress site.
The vulnerability is a type of SQL injection, allowing attackers to manipulate the plugin’s database queries without needing any authentication. This means malicious actors could potentially:
- Steal Sensitive Data: Gain access to email lists, subscriber information, and potentially other WordPress data.
- Take Control of Sites: In the worst-case scenario, an attacker could leverage the vulnerability to gain administrative access to a website, allowing them to deface it, spread malware, or redirect visitors to malicious sites.
- Disrupt Operations: Even without full control, an attacker could cause chaos by deleting data or disrupting the plugin’s functionality.
Any website using Icegram Express versions 5.7.25 or earlier is at risk. The plugin is popular due to its user-friendly interface and affordability, making it attractive to both small businesses and larger organizations.
The security flaw was uncovered by researcher shaman0x01 from the Shaman Red Team. Their responsible disclosure allowed Icegram Express to develop a patch before widespread exploitation could occur.
If you use Icegram Express, updating to the latest version (5.7.26 or later) is imperative. This should be your top priority to protect your website and subscribers. If you cannot update immediately, consider temporarily disabling the plugin until you can do so safely.
