The vulnerability was disclosed on July 1, 2024, by security researcher shaman0x01 from the Shaman Red Team. It stems from inadequate input validation and SQL query preparation in the handling of the db parameter. This oversight allows malicious actors, without requiring authentication, to inject arbitrary SQL queries into the plugin’s database operations. As a consequence, attackers can potentially extract sensitive data such as user credentials, email addresses, and other personal information stored in the website’s database.
Given the widespread use of “Email Subscribers by Icegram Express” with over 90,000 active installations, the potential impact of this vulnerability is extensive. Websites using outdated versions are vulnerable to exploitation, risking unauthorized access and data breaches. Immediate action is crucial for website administrators to safeguard their sites against potential exploitation.To mitigate the risk, administrators are strongly urged to update the plugin to the latest patched version as soon as possible. This update addresses the vulnerability by implementing stricter input validation and enhancing SQL query handling to prevent injection attacks. Additionally, website owners should monitor their site’s activity for any signs of unauthorized access or unusual database queries, which could indicate attempted exploitation.
In light of CVE-2024-6172, it is essential for WordPress administrators to prioritize regular updates and security practices. Implementing web application firewalls (WAFs) and conducting thorough security audits of plugins can further bolster defenses against potential threats. By taking proactive measures and staying vigilant, website operators can protect their data and ensure the continued trustworthiness of their online presence.
