CVE-2024-2876 in Icegram Express Plugin
Summary
by MITRE • 05/02/2024
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'run' function of the 'IG_ES_Subscribers_Query' class in all versions up to, and including, 5.7.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 05/23/2024
The vulnerability identified as CVE-2024-2876 affects the Email Subscribers plugin by Icegram Express, a widely used WordPress extension for email marketing and newsletter automation. This plugin serves millions of WordPress sites, making the vulnerability particularly concerning from a security perspective. The issue resides within the IG_ES_Subscribers_Query class where the 'run' function processes user input without proper sanitization, creating an exploitable condition that allows attackers to manipulate database queries through crafted input parameters.
The technical flaw manifests as a classic SQL injection vulnerability classified under CWE-89, where insufficient input validation and escaping mechanisms permit malicious SQL code to be executed within the database context. The vulnerability occurs because the plugin fails to properly prepare or escape user-supplied parameters before incorporating them into SQL queries, allowing attackers to inject additional SQL commands that can be executed with the privileges of the database user. This weakness exists across all versions up to and including 5.7.14, indicating a long-standing issue that has not been addressed in recent updates.
The operational impact of this vulnerability is significant as it enables unauthenticated attackers to perform unauthorized database operations without requiring any valid credentials or privileged access. Attackers can leverage this vulnerability to extract sensitive information including user credentials, personal data, and other confidential database contents. The vulnerability's exploitation does not require authentication, making it particularly dangerous as it can be exploited by anyone who can access the plugin's functionality. This opens the door for data breaches, potential account takeovers, and further lateral movement within compromised WordPress installations.
From an adversarial perspective, this vulnerability aligns with ATT&CK technique T1071.004 for application layer protocol manipulation and T1046 for network service discovery, as attackers can use the SQL injection to map database structures and extract information systematically. The attack surface is broad since the plugin is commonly installed across various WordPress environments, including e-commerce sites using WooCommerce where additional sensitive data may be exposed. Organizations using this plugin should immediately implement mitigations including patching to the latest version, implementing web application firewalls, and monitoring database access patterns for suspicious activity. The vulnerability represents a critical risk that requires immediate attention and remediation to prevent potential data compromise and maintain the integrity of WordPress installations relying on this plugin for email marketing automation.