The Icegram Express plugin for WordPress, used for email marketing, newsletters, and automation, has been found to contain a critical SQL injection vulnerability affecting versions up to 5.7.14. This vulnerability, discovered by Arkadiusz Hydzik and publicly disclosed on April 15, 2024, allows unauthenticated attackers to append additional SQL queries to existing ones due to improper neutralization of special elements and insufficient escaping of user-supplied parameters. As a result, attackers can extract sensitive information from the database, posing a severe risk to website security.
Identified as CVE-2024-2876, this flaw carries a critical CVSS score of 9.8, highlighting the potential for significant impact on confidentiality, integrity, and availability. Users of the Icegram Express plugin are strongly urged to update to version 5.7.15 or later, which contains the necessary patches to fix this vulnerability. Failing to update could leave websites exposed to potential data breaches and unauthorized data access.
The vulnerability specifically targets the ‘run’ function of the ‘IG_ES_Subscribers_Query’ class, which is used to handle subscriber queries in the plugin. By exploiting this function, attackers can manipulate SQL queries to access or modify data in the WordPress database without needing authentication. The plugin’s development team has since addressed this issue, ensuring that the SQL queries are properly escaped and prepared to prevent such attacks.
To protect your site, it is crucial to download and install the latest version of the Icegram Express plugin from the WordPress plugin repository. Keeping plugins updated is a key part of maintaining the security and integrity of your WordPress site, preventing vulnerabilities from being exploited by malicious actors.
