cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-8254,https://securityvulnerability.io/vulnerability/CVE-2024-8254,Arbitrary Shortcode Execution Vulnerability in Email Subscribers,"The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.7.34. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.",Wordpress,"Email Subscribers By Icegram Express – Email Marketing, Newsletters, Automation For WordPress & WooCommerce",6.3,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-10-02T06:46:02.280Z,0
CVE-2024-8771,https://securityvulnerability.io/vulnerability/CVE-2024-8771,Unauthorized Access to Sensitive Data in Email Subscribers Plugin,"The Email Subscribers by Icegram Express, a popular email marketing and automation plugin for WordPress and WooCommerce, has a vulnerability that allows unauthorized access to sensitive data. This issue arises from a missing capability check on the 'preview_email_template_design' function, impacting all versions up to and including 5.7.34. As a result, authenticated attackers with Subscriber-level access and above can exploit this flaw to extract sensitive information, including content from private, password-protected, pending, and draft posts and pages. Website owners should ensure they are using the latest version of the plugin to mitigate this risk and protect their data from potential breaches.",Wordpress,"Email Subscribers By Icegram Express – Email Marketing, Newsletters, Automation For WordPress & WooCommerce",4.3,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-09-26T15:30:33.922Z,0
CVE-2024-5703,https://securityvulnerability.io/vulnerability/CVE-2024-5703,Unauthorized API Access Vulnerability in Email Subscribers for WordPress & WooCommerce,"The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized API access due to a missing capability check in all versions up to, and including, 5.7.26. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access the API (provided it is enabled) and add, edit, and delete audience users.",Wordpress,"Email Subscribers By Icegram Express – Email Marketing, Newsletters, Automation For WordPress & WooCommerce",4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-07-17T07:32:18.614Z,0
CVE-2024-5756,https://securityvulnerability.io/vulnerability/CVE-2024-5756,Email Subscribers Vulnerable to Time-Based SQL Injection,"The Email Subscribers by Icegram Express plugin for WordPress, used for email marketing and automation, contains a vulnerability that allows for time-based SQL Injection. The flaw exists due to insufficient escaping of the user-supplied 'db' parameter and inadequate preparation of SQL queries in all versions up to 5.7.23. This weakness permits unauthenticated attackers to insert additional SQL commands into existing queries, potentially leading to the exposure of sensitive data stored within the WordPress database. It is crucial for users of this plugin to review their security measures and apply necessary updates to mitigate this risk.",Wordpress,"Email Subscribers By Icegram Express – Email Marketing, Newsletters, Automation For WordPress & WooCommerce",9.8,CRITICAL,0.00044999999227002263,false,,false,false,false,,false,false,2024-06-21T04:34:10.900Z,0
CVE-2024-3626,https://securityvulnerability.io/vulnerability/CVE-2024-3626,Unauthorized Access to Private and Password-Protected Posts in Email Subscribers Plugin,"The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_template_content function in all versions up to, and including, 5.7.17. This makes it possible for authenticated attackers, with subscriber access and above, to obtain the contents of private and password-protected posts.",Wordpress,"Email Subscribers By Icegram Express – Email Marketing, Newsletters, Automation For WordPress & WooCommerce",4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-05-23T05:32:14.816Z,0
CVE-2024-4010,https://securityvulnerability.io/vulnerability/CVE-2024-4010,Email Subscribers Plugin Vulnerable to Data Theft and Loss,"The Email Subscribers plugin by Icegram Express for WordPress has been identified as vulnerable due to a missing capability check in its handle_ajax_request function. This oversight allows authenticated users, including those with subscriber-level access, to perform unauthorized actions that compromise the confidentiality, integrity, and availability of sensitive data. Attackers can exploit this vulnerability to execute unauthorized modifications and potentially leverage it for PHP Object Injection and SQL Injection attacks, leading to severe implications for website security and user data protection.",Wordpress,"Email Subscribers By Icegram Express – Email Marketing, Newsletters, Automation For WordPress & WooCommerce",8.8,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,2024-05-15T08:34:12.914Z,0
CVE-2024-2876,https://securityvulnerability.io/vulnerability/CVE-2024-2876,Email Subscribers Vulnerable to SQL Injection,"The Email Subscribers by Icegram Express plugin for WordPress is susceptible to SQL Injection through the 'run' function in the 'IG_ES_Subscribers_Query' class. This vulnerability is present in all versions up to and including 5.7.14, resulting from insufficient escaping of user-supplied parameters and a lack of adequate preparation in the SQL query. As a consequence, unauthenticated attackers can inject additional SQL queries into existing queries, enabling them to extract sensitive data from the database. Prompt action is essential to mitigate potential data breaches and ensure the security of WordPress installations.",Wordpress,"Email Subscribers By Icegram Express – Email Marketing, Newsletters, Automation For WordPress & WooCommerce",9.8,CRITICAL,0.0006600000197067857,false,,false,false,true,true,false,false,2024-05-02T16:52:46.382Z,0
CVE-2024-2656,https://securityvulnerability.io/vulnerability/CVE-2024-2656,Email Subscribers Vulnerable to Stored Cross-Site Scripting,"The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a CSV import in all versions up to, and including, 5.7.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.",Wordpress,"Email Subscribers By Icegram Express – Email Marketing, Newsletters, Automation For WordPress & WooCommerce",4.4,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-04-06T04:15:00.000Z,0