CVE-2024-4845
HIGH EXPLOITEDIcegram Express < 5.7.23 - Authenticated SQL Injection via options[list_id] Parameter
Title source: llmExploitation Summary
CVE-2024-4845 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
The Icegram Express plugin for WordPress is vulnerable to SQL Injection via the ‘options[list_id]’ parameter in all versions up to, and including, 5.7.22 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
References (2)
Core 2
Core References
Scores
CVSS v3
8.8
EPSS
0.0045
EPSS Percentile
36.4%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
VulnCheck KEV
2026-05-04
CWE
CWE-89
Status
published
Products (2)
icegram/Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress
< 5.7.22
icegram/icegram_express
< 5.7.23
Published
Jun 12, 2024
Tracked Since
Feb 18, 2026