HomeCyber BalkansSerious Vulnerability in WordPress Plugin Exposes Over 90,000 WordPress Sites

Serious Vulnerability in WordPress Plugin Exposes Over 90,000 WordPress Sites

Published on

spot_img

A critical vulnerability has been found in the popular WordPress plugin “Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce.” The flaw, known as CVE-2024-6172, has been given a CVSS score of 9.8, indicating its severe impact.

The vulnerability was made public on July 1, 2024, and later updated on July 2, 2024, by the researcher referred to as shaman0x01 from the Shaman Red Team. According to the Wordfence blog, the vulnerability affects all versions of the plugin up to and including 5.7.25. It originates from inadequate escaping of the user-supplied db parameter and insufficient preparation in the existing SQL query.

This vulnerability allows unauthenticated attackers to conduct time-based SQL Injection attacks, giving them the ability to add extra SQL queries to existing ones. As a result, attackers can extract sensitive information from the database, creating a substantial risk to the security and privacy of the affected websites.

The “Email Subscribers by Icegram Express” plugin is widely utilized for email marketing, newsletters, and automation on WordPress and WooCommerce websites. With more than 90,000 active installations, the potential impact of this vulnerability is considerable. Websites that use this plugin are exposed to data breaches, which could lead to the exposure of sensitive user information such as email addresses, passwords, and other personal data.

The vulnerability was discovered by shaman0x01, a researcher from the Shaman Red Team, known for identifying critical security flaws. The researcher’s findings emphasize the significance of proper input validation and query preparation in preventing SQL Injection attacks. Notably, CVE-2024-37252 seems to replicate this issue, highlighting the critical nature of the vulnerability.

Website administrators utilizing the “Email Subscribers by Icegram Express” plugin are strongly advised to take immediate measures to mitigate the risk. Steps recommended include updating the plugin, checking for available updates, disabling the plugin if an update is not available, monitoring for unusual activity on the website, and regularly backing up website data to ensure recovery in case of a security breach.

The discovery of CVE-2024-6172 underscores the importance of robust security practices in plugin development. Given WordPress’s widespread use as a website platform globally, ensuring the security of its plugins is vital for maintaining the integrity and privacy of online data. Website administrators must remain vigilant and proactive in addressing vulnerabilities to safeguard their sites and users from potential threats.

Source link

Latest articles

Government Updates UK National Risk Register with Cyber Warnings

The UK government has taken significant steps to address evolving threats in the realm...

LegacyHive Windows Zero-Day Allows Attackers to Take Control of Administrator Registry Hives

A recently uncovered security vulnerability in Windows systems, termed LegacyHive, has raised significant alarms...

Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker; Lawyers Claim Misidentification

Armenian authorities have detained a Russian national named Aleksandr Ermakov at the request of...

SANS Highlights AI Governance Gap Amid Rising Security Team Usage

AI Integration in Cybersecurity: Balancing Confidence with Deployment Challenges In recent developments within the cybersecurity...

More like this

Government Updates UK National Risk Register with Cyber Warnings

The UK government has taken significant steps to address evolving threats in the realm...

LegacyHive Windows Zero-Day Allows Attackers to Take Control of Administrator Registry Hives

A recently uncovered security vulnerability in Windows systems, termed LegacyHive, has raised significant alarms...

Armenia Detains Russian Tourist on U.S. Warrant for REvil Hacker; Lawyers Claim Misidentification

Armenian authorities have detained a Russian national named Aleksandr Ermakov at the request of...