cve,link,title,description,vendor,products,score,severity,epss,cisa,cisa_published,article,ransomware,exploited,poc,trended,trended_no_1,published,trended_score
CVE-2024-12568,https://securityvulnerability.io/vulnerability/CVE-2024-12568,Stored Cross-Site Scripting Vulnerability in Icegram Express WordPress Plugin,"The Email Subscribers by Icegram Express WordPress plugin prior to version 5.7.45 is susceptible to Stored Cross-Site Scripting due to improper sanitization and escaping of certain Workflow settings. This vulnerability enables users with elevated privileges, such as administrators, to execute XSS attacks even when the unfiltered_html capability is restricted, posing significant risks in environments like multisite setups.",Wordpress,Email Subscribers By Icegram Express,4.8,MEDIUM,0.0004299999854993075,false,,false,false,true,true,false,false,2025-01-13T06:00:10.651Z,0
CVE-2024-12567,https://securityvulnerability.io/vulnerability/CVE-2024-12567,Stored Cross-Site Scripting Vulnerability in Email Subscribers Plugin by Icegram Express,"The Email Subscribers plugin by Icegram Express is vulnerable to stored cross-site scripting due to improper sanitization and escaping of form settings. This vulnerability allows high privilege users, such as administrators, to inject malicious scripts, which may execute in the context of other users, potentially compromising sensitive data or user sessions. This risk is particularly salient in multisite setups where the unfiltered_html capability might be restricted.",Wordpress,Email Subscribers By Icegram Express,4.8,MEDIUM,0.0004299999854993075,false,,false,false,true,true,false,false,2025-01-13T06:00:10.180Z,0
CVE-2024-12566,https://securityvulnerability.io/vulnerability/CVE-2024-12566,Stored Cross-Site Scripting in Email Subscribers by Icegram Express Plugin,"The Email Subscribers by Icegram Express WordPress plugin prior to version 5.7.45 is susceptible to Stored Cross-Site Scripting (XSS) attacks. This vulnerability arises from a failure to properly sanitize and escape certain form settings, enabling high privilege users, such as administrators, to inject malicious scripts. This issue persists even when the unfiltered_html capability is disabled, making it particularly concerning in multisite setups where stringent controls on user capabilities are expected.",Wordpress,Email Subscribers By Icegram Express,4.8,MEDIUM,0.0004299999854993075,false,,false,false,true,true,false,false,2025-01-13T06:00:07.508Z,0
CVE-2024-11636,https://securityvulnerability.io/vulnerability/CVE-2024-11636,Stored Cross-Site Scripting in Email Subscribers by Icegram Express Plugin for WordPress,"The Email Subscribers by Icegram Express plugin for WordPress prior to version 5.7.45 suffers from a vulnerability due to improper sanitization and escaping of certain Text Block options. This oversight can be exploited by high-privilege users, such as administrators, to execute Stored Cross-Site Scripting (XSS) attacks, even in environments where unfiltered_html capability is restricted, such as multisite setups. This vulnerability poses a significant risk, facilitating the injection of malicious scripts that could compromise the integrity of the site.",Wordpress,Email Subscribers By Icegram Express,4.8,MEDIUM,0.0004299999854993075,false,,false,false,true,true,false,false,2025-01-13T06:00:00.902Z,0
CVE-2024-12311,https://securityvulnerability.io/vulnerability/CVE-2024-12311,SQL Injection Vulnerability in Email Subscribers Plugin by Icegram Express,"The Email Subscribers by Icegram Express plugin for WordPress allows for unauthenticated SQL injection due to insufficient sanitization and escaping of user-supplied parameters before they are utilized in SQL statements. This security lapse can permit users with admin privileges to execute arbitrary SQL queries, potentially leading to unauthorized data access or manipulation. It is critical for users of this plugin to upgrade to version 5.7.44 or later to mitigate these risks and maintain the integrity of their databases.",Wordpress,Email Subscribers By Icegram Express,6.5,MEDIUM,0.0004299999854993075,false,,false,false,true,true,false,false,2025-01-06T06:00:15.943Z,0
CVE-2024-8254,https://securityvulnerability.io/vulnerability/CVE-2024-8254,Arbitrary Shortcode Execution Vulnerability in Email Subscribers,"The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.7.34. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.",Wordpress,"Email Subscribers By Icegram Express – Email Marketing, Newsletters, Automation For WordPress & WooCommerce",6.3,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-10-02T06:46:02.280Z,0
CVE-2024-8771,https://securityvulnerability.io/vulnerability/CVE-2024-8771,Unauthorized Access to Sensitive Data in Email Subscribers Plugin,"The Email Subscribers by Icegram Express, a popular email marketing and automation plugin for WordPress and WooCommerce, has a vulnerability that allows unauthorized access to sensitive data. This issue arises from a missing capability check on the 'preview_email_template_design' function, impacting all versions up to and including 5.7.34. As a result, authenticated attackers with Subscriber-level access and above can exploit this flaw to extract sensitive information, including content from private, password-protected, pending, and draft posts and pages. Website owners should ensure they are using the latest version of the plugin to mitigate this risk and protect their data from potential breaches.",Wordpress,"Email Subscribers By Icegram Express – Email Marketing, Newsletters, Automation For WordPress & WooCommerce",4.3,MEDIUM,0.0005300000193528831,false,,false,false,false,,false,false,2024-09-26T15:30:33.922Z,0
CVE-2024-5703,https://securityvulnerability.io/vulnerability/CVE-2024-5703,Unauthorized API Access Vulnerability in Email Subscribers for WordPress & WooCommerce,"The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized API access due to a missing capability check in all versions up to, and including, 5.7.26. This makes it possible for authenticated attackers, with Subscriber-level access and above, to access the API (provided it is enabled) and add, edit, and delete audience users.",Wordpress,"Email Subscribers By Icegram Express – Email Marketing, Newsletters, Automation For WordPress & WooCommerce",4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-07-17T07:32:18.614Z,0
CVE-2024-5756,https://securityvulnerability.io/vulnerability/CVE-2024-5756,Email Subscribers Vulnerable to Time-Based SQL Injection,"The Email Subscribers by Icegram Express plugin for WordPress, used for email marketing and automation, contains a vulnerability that allows for time-based SQL Injection. The flaw exists due to insufficient escaping of the user-supplied 'db' parameter and inadequate preparation of SQL queries in all versions up to 5.7.23. This weakness permits unauthenticated attackers to insert additional SQL commands into existing queries, potentially leading to the exposure of sensitive data stored within the WordPress database. It is crucial for users of this plugin to review their security measures and apply necessary updates to mitigate this risk.",Wordpress,"Email Subscribers By Icegram Express – Email Marketing, Newsletters, Automation For WordPress & WooCommerce",9.8,CRITICAL,0.00044999999227002263,false,,false,false,false,,false,false,2024-06-21T04:34:10.900Z,0
CVE-2024-4845,https://securityvulnerability.io/vulnerability/CVE-2024-4845,SQL Injection Vulnerability in Icegram Express Plugin Affects Sensitive Data Extraction,"The Icegram Express plugin for WordPress features a significant SQL Injection vulnerability due to inadequate escaping of user-supplied input within the ‘options[list_id]’ parameter. This issue exists across all versions up to and including 5.7.22. The lack of proper preparation for SQL queries allows authenticated users with Subscriber-level access and above to inject additional SQL commands. Such exploits can lead to unauthorized database access and potentially expose sensitive information, posing a significant risk to website integrity and user data.",Wordpress,Icegram Express,8.8,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,2024-06-12T10:15:00.000Z,0
CVE-2024-3626,https://securityvulnerability.io/vulnerability/CVE-2024-3626,Unauthorized Access to Private and Password-Protected Posts in Email Subscribers Plugin,"The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the get_template_content function in all versions up to, and including, 5.7.17. This makes it possible for authenticated attackers, with subscriber access and above, to obtain the contents of private and password-protected posts.",Wordpress,"Email Subscribers By Icegram Express – Email Marketing, Newsletters, Automation For WordPress & WooCommerce",4.3,MEDIUM,0.00044999999227002263,false,,false,false,false,,false,false,2024-05-23T05:32:14.816Z,0
CVE-2024-4010,https://securityvulnerability.io/vulnerability/CVE-2024-4010,Email Subscribers Plugin Vulnerable to Data Theft and Loss,"The Email Subscribers plugin by Icegram Express for WordPress has been identified as vulnerable due to a missing capability check in its handle_ajax_request function. This oversight allows authenticated users, including those with subscriber-level access, to perform unauthorized actions that compromise the confidentiality, integrity, and availability of sensitive data. Attackers can exploit this vulnerability to execute unauthorized modifications and potentially leverage it for PHP Object Injection and SQL Injection attacks, leading to severe implications for website security and user data protection.",Wordpress,"Email Subscribers By Icegram Express – Email Marketing, Newsletters, Automation For WordPress & WooCommerce",8.8,HIGH,0.0004299999854993075,false,,false,false,false,,false,false,2024-05-15T08:34:12.914Z,0
CVE-2024-2876,https://securityvulnerability.io/vulnerability/CVE-2024-2876,Email Subscribers Vulnerable to SQL Injection,"The Email Subscribers by Icegram Express plugin for WordPress is susceptible to SQL Injection through the 'run' function in the 'IG_ES_Subscribers_Query' class. This vulnerability is present in all versions up to and including 5.7.14, resulting from insufficient escaping of user-supplied parameters and a lack of adequate preparation in the SQL query. As a consequence, unauthenticated attackers can inject additional SQL queries into existing queries, enabling them to extract sensitive data from the database. Prompt action is essential to mitigate potential data breaches and ensure the security of WordPress installations.",Wordpress,"Email Subscribers By Icegram Express – Email Marketing, Newsletters, Automation For WordPress & WooCommerce",9.8,CRITICAL,0.0006600000197067857,false,,false,false,true,true,false,false,2024-05-02T16:52:46.382Z,0
CVE-2024-2656,https://securityvulnerability.io/vulnerability/CVE-2024-2656,Email Subscribers Vulnerable to Stored Cross-Site Scripting,"The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via a CSV import in all versions up to, and including, 5.7.14 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.",Wordpress,"Email Subscribers By Icegram Express – Email Marketing, Newsletters, Automation For WordPress & WooCommerce",4.4,MEDIUM,0.0004299999854993075,false,,false,false,false,,false,false,2024-04-06T04:15:00.000Z,0
CVE-2022-45810,https://securityvulnerability.io/vulnerability/CVE-2022-45810,WordPress Email Subscribers & Newsletters Plugin <= 5.5.2 is vulnerable to CSV Injection,"An improper neutralization of formula elements in CSV files has been identified in Icegram Express, used for email marketing within WordPress and WooCommerce. This vulnerability can be exploited by an attacker through crafted CSV files to execute arbitrary formulas when these files are opened by users, posing a risk of unauthorized commands and potential data exposure. Users should ensure that they are running the latest versions and apply necessary precautions against CSV file manipulations.",Wordpress,"Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce",9.8,CRITICAL,0.0016400000313296914,false,,false,false,false,,false,false,2023-11-07T16:50:04.184Z,0
CVE-2023-5414,https://securityvulnerability.io/vulnerability/CVE-2023-5414,Directory Traversal Vulnerability in Icegram Express Plugin for WordPress,"The Icegram Express plugin for WordPress is susceptible to a directory traversal vulnerability through its show_es_logs function. This flaw enables attackers with administrator-level access to navigate the server's file system and read arbitrary files, potentially exposing sensitive data from other sites, particularly in shared hosting scenarios. Organizations using this plugin should take immediate action to mitigate associated risks.",Wordpress,"Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce",7.2,HIGH,0.0013299999991431832,false,,false,false,false,,false,false,2023-10-20T07:15:00.000Z,0
CVE-2022-3981,https://securityvulnerability.io/vulnerability/CVE-2022-3981,Icegram Express < 5.5.1 - Subscriber+ SQLi,"The Icegram Express WordPress plugin before 5.5.1 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscriber",Wordpress,Icegram Express,8.8,HIGH,0.0009500000160187483,false,,false,false,false,,false,false,2022-12-12T17:54:44.914Z,0