CVE-2024-4295

CRITICAL EXPLOITED NUCLEI

Email Subscribers by Icegram Express <5.7.20 - SQL Injection

Title source: llm

Description

The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘hash’ parameter in all versions up to, and including, 5.7.20 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Exploits (3)

nomisec WRITEUP

by cve-2024 · infoleak

https://github.com/cve-2024/CVE-2024-4295-Poc

View Code ZIP pw:eip

nomisec WRITEUP

by TgHook · poc

https://github.com/TgHook/CVE-2024-4295-Poc

View Code ZIP pw:eip

vulncheck_xdb

infoleak

https://github.com/truonghuuphuc/CVE-2024-4295-Poc

View on vulncheck_xdb

Nuclei Templates (1)

Email Subscribers by Icegram Express <= 5.7.20 - Unauthenticated SQL Injection via Hash

CRITICALVERIFIEDby iamnoooob,rootxharsh,pdresearch

FOFA: body="/wp-content/plugins/email-subscribers/"

References (2)

[Patch] https://plugins.trac.wordpress.org/changeset/3090845/email-subscribers/trunk/lite/includes/db/class-es-db-lists-contacts.php

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/641123af-1ec6-4549-a58c-0a08b4678f45?source=cve

Scores

CVSS v3 9.8

EPSS 0.9292

EPSS Percentile 99.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

VulnCheck KEV 2025-04-23

CWE

CWE-89

Status published

Products (2)

icegram/email_subscribers_\&_newsletters < 5.7.21

icegram/Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress < 5.7.20

Published Jun 05, 2024

Tracked Since Feb 18, 2026