CVE-2024-4010
HIGHEmail Subscribers by Icegram Express <5.7.19 - Info Disclosure
Title source: llmDescription
The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on the handle_ajax_request function in all versions up to, and including, 5.7.19. This makes it possible for authenticated attackers, with subscriber-level access and above, to cause a loss of confidentiality, integrity, and availability, by performing multiple unauthorized actions. Some of these actions could also be leveraged to conduct PHP Object Injection and SQL Injection attacks.
References (2)
Core 2
Core References
Scores
CVSS v3
8.8
EPSS
0.0039
EPSS Percentile
31.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-862
Status
published
Products (2)
icegram/Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress
< 5.7.19
icegram/Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce
< 5.7.19
Published
May 15, 2024
Tracked Since
Feb 18, 2026