A critical vulnerability has been found in the popular WordPress plugin “Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce.” The flaw, known as CVE-2024-6172, has been given a CVSS score of 9.8, indicating its severe impact.

The vulnerability was made public on July 1, 2024, and later updated on July 2, 2024, by the researcher referred to as shaman0x01 from the Shaman Red Team. According to the Wordfence blog, the vulnerability affects all versions of the plugin up to and including 5.7.25. It originates from inadequate escaping of the user-supplied db parameter and insufficient preparation in the existing SQL query.

This vulnerability allows unauthenticated attackers to conduct time-based SQL Injection attacks, giving them the ability to add extra SQL queries to existing ones. As a result, attackers can extract sensitive information from the database, creating a substantial risk to the security and privacy of the affected websites.

The “Email Subscribers by Icegram Express” plugin is widely utilized for email marketing, newsletters, and automation on WordPress and WooCommerce websites. With more than 90,000 active installations, the potential impact of this vulnerability is considerable. Websites that use this plugin are exposed to data breaches, which could lead to the exposure of sensitive user information such as email addresses, passwords, and other personal data.

The vulnerability was discovered by shaman0x01, a researcher from the Shaman Red Team, known for identifying critical security flaws. The researcher’s findings emphasize the significance of proper input validation and query preparation in preventing SQL Injection attacks. Notably, CVE-2024-37252 seems to replicate this issue, highlighting the critical nature of the vulnerability.

Website administrators utilizing the “Email Subscribers by Icegram Express” plugin are strongly advised to take immediate measures to mitigate the risk. Steps recommended include updating the plugin, checking for available updates, disabling the plugin if an update is not available, monitoring for unusual activity on the website, and regularly backing up website data to ensure recovery in case of a security breach.

The discovery of CVE-2024-6172 underscores the importance of robust security practices in plugin development. Given WordPress’s widespread use as a website platform globally, ensuring the security of its plugins is vital for maintaining the integrity and privacy of online data. Website administrators must remain vigilant and proactive in addressing vulnerabilities to safeguard their sites and users from potential threats.

Link na izvor