CVE-2024-2876

Exploitation Summary

CVE-2024-2876 has been observed exploited in the wild (reported by VulnCheck KEV). EIP tracks 10 public exploits from researchers including iSee857, c0d3zilla, intel365. A Nuclei detection template is also available.

AI-analyzed exploit summary The repository contains functional exploit code for multiple CVEs, including CVE-2026-22812, which demonstrates remote command execution (RCE) via session manipulation and command injection. The code is well-structured, includes proper error handling, and is designed for both single and batch target testing.

Description

The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'run' function of the 'IG_ES_Subscribers_Query' class in all versions up to, and including, 5.7.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Exploits (10)

github WORKING POC 40 stars

by iSee857 · pythonpoc

https://github.com/iSee857/CVE-PoC/tree/main/WordPress_IcegramExpress(CVE-2024-2876).py

View Code ZIP pw:eip

The repository contains functional exploit code for multiple CVEs, including CVE-2026-22812, which demonstrates remote command execution (RCE) via session manipulation and command injection. The code is well-structured, includes proper error handling, and is designed for both single and batch target testing.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenCode (CVE-2026-22812), Altenergy (CVE-2024-11305), and others

No auth needed

Prerequisites: network access to target · target service running

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 27, 2026 Full analysis →

nomisec WRITEUP 6 stars

by c0d3zilla · infoleak

https://github.com/c0d3zilla/CVE-2024-2876

View Code ZIP pw:eip

This repository contains a README describing a SQL injection vulnerability (CVE-2024-2876) in Icegram Express. No actual exploit code is provided, only a legal disclaimer and brief description.

Classification

Writeup 90%

Attack Type

Sqli

Complexity

Theoretical

Reliability

Theoretical

Target: Icegram Express (version not specified)

No auth needed

Prerequisites: Access to a vulnerable Icegram Express instance

MITRE ATT&CK

T1189 - Drive-by Compromise

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by intel365 · poc

https://github.com/intel365/CVE-2024-2876

View Code ZIP pw:eip

The repository contains a functional SQL injection exploit for CVE-2024-2876, targeting the 'Email Subscribers by Icegram Express' WordPress plugin. The exploit leverages inadequate input sanitization in the `IG_ES_Subscribers_Query` class to execute arbitrary SQL queries, demonstrated via a time-based blind SQLi payload.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Email Subscribers by Icegram Express (WordPress plugin) <= 5.7.14

No auth needed

Prerequisites: WordPress site with vulnerable plugin installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Jun 08, 2026 Full analysis →

nomisec WORKING POC 2 stars

by kernel364 · poc

https://github.com/kernel364/CVE-2024-2876

View Code ZIP pw:eip

The repository contains a functional SQL injection exploit for CVE-2024-2876, targeting the 'Email Subscribers by Icegram Express' WordPress plugin. The exploit leverages inadequate input sanitization in the `IG_ES_Subscribers_Query` class to execute arbitrary SQL queries.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Email Subscribers by Icegram Express (up to 5.7.14)

No auth needed

Prerequisites: WordPress site with vulnerable plugin installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed May 24, 2026 Full analysis →

nomisec WORKING POC 2 stars

by voidbroker · poc

https://github.com/voidbroker/CVE-2024-2876

View Code ZIP pw:eip

The repository provides a functional proof-of-concept for CVE-2024-2876, a SQL injection vulnerability in the 'Email Subscribers by Icegram Express' WordPress plugin. The exploit leverages unsanitized input in the `IG_ES_Subscribers_Query` class to execute arbitrary SQL queries.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Email Subscribers by Icegram Express (up to 5.7.14)

No auth needed

Prerequisites: Target running vulnerable version of the plugin · Access to the WordPress admin-post.php endpoint

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by chsxthwik · poc

https://github.com/chsxthwik/CVE-2024-2876

View Code ZIP pw:eip

This repository contains a proof-of-concept for CVE-2024-2876, an unauthenticated SQL Injection vulnerability in the Email Subscribers by Icegram Express WordPress plugin. The PoC demonstrates how an attacker can inject malicious SQL queries via the 'advanced_filter' parameter to extract sensitive database information.

Classification

Working Poc 90%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Email Subscribers by Icegram Express (WordPress plugin) <= 5.7.14

No auth needed

Prerequisites: Target must have the vulnerable plugin installed and active

MITRE ATT&CK

T1505 - Server Software Component T1190 - Exploit Public-Facing Application

devstral-2 · analyzed Feb 16, 2026 Full analysis →

nomisec WORKING POC 2 stars

by 0xAgun · infoleak

https://github.com/0xAgun/CVE-2024-2876

View Code ZIP pw:eip

This PoC exploits a time-based SQL injection vulnerability in the Email Subscribers plugin for WordPress. It checks for vulnerable versions (<5.7.15) and confirms exploitation via a sleep-based payload.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Email Subscribers WordPress plugin <5.7.15

No auth needed

Prerequisites: Target running vulnerable Email Subscribers plugin · Access to /wp-admin/admin-post.php

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

vulncheck_xdb WORKING POC

infoleak

https://github.com/zxcod3/CVE-2024-2876

View Code ZIP pw:eip

The repository contains a functional SQL injection exploit for CVE-2024-2876, targeting the 'Email Subscribers by Icegram Express' WordPress plugin. The exploit leverages a time-based SQLi via the `advanced_filter` parameter in a POST request to `/wp-admin/admin-post.php`.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Email Subscribers by Icegram Express (WordPress plugin) <= 5.7.14

No auth needed

Prerequisites: WordPress site with vulnerable plugin installed

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 25, 2026 Full analysis →

vulncheck_xdb WORKING POC

infoleak

https://github.com/R4m24n/wp

View Code ZIP pw:eip

The repository provides functional SQL injection PoCs for CVE-2024-2876 and CVE-2024-3495, targeting WordPress plugins 'Email Subscribers by Icegram Express' and 'Country State City Dropdown CF7' respectively. The PoCs include crafted HTTP requests demonstrating time-based and union-based SQLi techniques.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Email Subscribers by Icegram Express (≤5.7.14), Country State City Dropdown CF7 (≤2.7.2)

No auth needed

Prerequisites: target running vulnerable plugin version · network access to WordPress admin endpoints

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter

devstral-2 · analyzed Feb 25, 2026 Full analysis →

vulncheck_xdb WORKING POC

infoleak

https://github.com/Quantum-Hacker/CVE-2024-2876

View Code ZIP pw:eip

The repository contains a functional SQL injection exploit for CVE-2024-2876, targeting the Email Subscribers by Icegram Express WordPress plugin. The exploit uses a time-based SQLi payload to verify vulnerability via a crafted POST request to /wp-admin/admin-post.php.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Trivial

Reliability

Reliable

Target: Email Subscribers by Icegram Express (WordPress plugin) <= 5.7.14

No auth needed

Prerequisites: WordPress site with vulnerable plugin installed

MITRE ATT&CK