A critical security vulnerability has been identified in the “Email Subscribers by Icegram Express” WordPress plugin, posing severe risks to over 90,000 websites. The vulnerability, tracked as CVE-2024-2876, is a SQL injection flaw that enables unauthenticated attackers to execute malicious SQL queries within the affected WordPress databases. This exploit can lead to the extraction of sensitive information such as usernames, email addresses, password hashes, and subscriber lists.
Vulnerability Details
- CVE-ID: CVE-2024-2876
- CVSS Score: 9.8 (Critical)
- Vulnerable Versions: Up to version 5.7.14
- Patched Version: 5.7.15 and above
Exploit Mechanism
The vulnerability exists within the “run” function of the plugin’s IG_ES_Subscribers_Query class. By manipulating user inputs that are improperly sanitized, attackers can inject unauthorized SQL code, impacting the integrity and confidentiality of data stored in the WordPress database.
Immediate Recommendations
- Update Immediately: If you are using the “Email Subscribers by Icegram Express” plugin, upgrade to version 5.7.15 or newer as soon as possible to apply the security fix.
- Audit Your Plugins: Regularly review and update all WordPress plugins and themes to their latest versions.
- Install Security Plugins: Utilize reputable WordPress security plugins to enhance defense against SQL injection and other types of cyber attacks.
- Enforce Strong Password Policies: Ensure that all accounts related to your WordPress site use strong, unique passwords to reduce the risk of unauthorized access stemming from compromised credentials.
Impact of Non-Compliance
Failing to update the affected plugin can leave websites susceptible to data breaches, unauthorized access, and potential exploitation for further network compromise. Given the severity of this vulnerability and its widespread use, it is critical that all affected parties take immediate action to secure their installations.
