CVE-2025-12349 in Icegram Express Plugin
Summary
by MITRE • 11/19/2025
The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `trigger_mailing_queue_sending` function. This makes it possible for unauthenticated attackers to force immediate email sending, bypass the schedule, increase server load, and change plugin state (e.g., last-cron-hit), enabling abuse or DoS-like effects.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 11/19/2025
The vulnerability identified as CVE-2025-12349 affects the Icegram Express WordPress plugin, specifically impacting versions up to and including 5.9.10. This authorization flaw represents a critical security weakness that undermines the plugin's access control mechanisms and exposes sensitive administrative functions to unauthorized users. The issue stems from inadequate input validation and privilege checking within the plugin's core functionality, creating a pathway for malicious actors to exploit the system without proper authentication credentials.
The technical flaw manifests within the `trigger_mailing_queue_sending` function where the plugin fails to implement proper user authorization checks before executing email sending operations. This function should require administrative privileges or specific authentication tokens to ensure that only authorized users can initiate mass email campaigns or modify the plugin's operational state. However, the current implementation allows any unauthenticated user to trigger this function, effectively bypassing the intended security controls. The vulnerability aligns with CWE-863, which describes "Incorrect Authorization" where an actor is able to access resources or perform actions for which they are not authorized, and represents a clear violation of the principle of least privilege in software security design.
The operational impact of this vulnerability extends beyond simple unauthorized access to encompass significant system abuse potential and potential denial of service conditions. Attackers can leverage this flaw to force immediate email sending operations that would normally be scheduled for later execution, leading to immediate resource consumption and potential spamming activities. The ability to bypass scheduling mechanisms creates opportunities for spam abuse and can overwhelm server resources through rapid-fire email generation. Additionally, the vulnerability allows attackers to modify critical plugin state variables such as the last-cron-hit timestamp, which can disrupt normal plugin operations and potentially cause cascading failures in automated email processing workflows. This state modification capability enables attackers to manipulate the plugin's internal timing mechanisms and can lead to unpredictable behavior or complete service disruption.
The security implications of CVE-2025-12349 align with several tactics described in the MITRE ATT&CK framework, particularly those related to privilege escalation and denial of service. The vulnerability enables an attacker to perform actions typically restricted to authenticated administrators, effectively allowing them to escalate their privileges within the WordPress environment through the compromised plugin. This represents a significant escalation path that can be exploited to gain broader system control. The ability to force immediate email sending operations also enables spamming and phishing campaigns that can be used for social engineering attacks or to generate unwanted traffic that impacts server performance. The DoS-like effects created by this vulnerability can be particularly damaging in environments where email marketing is a critical business function, as they can prevent legitimate email campaigns from executing properly and disrupt business operations.
Mitigation strategies for this vulnerability should prioritize immediate patching of the affected plugin versions to the latest secure release that addresses the authorization flaw. System administrators should also implement network-level restrictions to limit access to plugin endpoints and consider implementing rate limiting on email sending operations to prevent abuse. The WordPress security team recommends monitoring for unauthorized access attempts and implementing proper logging of administrative actions to detect potential exploitation attempts. Additionally, organizations should conduct thorough security audits of all installed plugins to identify similar authorization vulnerabilities that may exist in other components of their WordPress environment. The remediation process should include verifying that proper authentication mechanisms are in place for all administrative functions and that privilege checks are consistently enforced throughout the plugin's codebase to prevent similar issues from occurring in the future.