Refine your search
4 vulnerabilities found for by icegram
CVE-2025-12348 (GCVE-0-2025-12348)
Vulnerability from cvelistv5
Published
2025-12-12 09:20
Modified
2025-12-12 20:49
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-306 - Missing Authentication for Critical Function
Summary
The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `run_action_scheduler_task` function. This makes it possible for unauthenticated attackers to execute scheduled actions early or repeatedly by guessing action IDs, potentially triggering email sends, maintenance tasks, or other privileged operations, causing unexpected state changes and resource usage.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| icegram | Email Subscribers & Newsletters – Powerful Email Marketing, Post Notification & Newsletter Plugin for WordPress & WooCommerce |
Version: * ≤ 5.9.10 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12348",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-12T20:49:00.876134Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T20:49:12.755Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Email Subscribers \u0026 Newsletters \u2013 Powerful Email Marketing, Post Notification \u0026 Newsletter Plugin for WordPress \u0026 WooCommerce",
"vendor": "icegram",
"versions": [
{
"lessThanOrEqual": "5.9.10",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adrian Lukita"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `run_action_scheduler_task` function. This makes it possible for unauthenticated attackers to execute scheduled actions early or repeatedly by guessing action IDs, potentially triggering email sends, maintenance tasks, or other privileged operations, causing unexpected state changes and resource usage."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-12T09:20:29.470Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c6ba7244-0ecf-412f-9b8b-6b81fa6cdeb5?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L50"
},
{
"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-ig-es-background-process-helper.php#L194"
},
{
"url": "https://plugins.trac.wordpress.org/changeset/3394838/email-subscribers/trunk/lite/includes/classes/class-ig-es-background-process-helper.php"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-12-11T21:13:45.000+00:00",
"value": "Disclosed"
}
],
"title": "Email Subscribers \u0026 Newsletters \u003c= 5.9.10 - Missing Authentication to Unauthenticated Action Scheduler Task Execution"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12348",
"datePublished": "2025-12-12T09:20:29.470Z",
"dateReserved": "2025-10-27T14:21:51.223Z",
"dateUpdated": "2025-12-12T20:49:12.755Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66055 (GCVE-0-2025-66055)
Vulnerability from cvelistv5
Published
2025-11-21 12:29
Modified
2025-11-21 14:26
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
Deserialization of Untrusted Data vulnerability in Icegram Email Subscribers & Newsletters email-subscribers allows Object Injection.This issue affects Email Subscribers & Newsletters: from n/a through <= 5.9.10.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icegram | Email Subscribers & Newsletters |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-66055",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-21T14:26:54.405540Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T14:26:56.725Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "email-subscribers",
"product": "Email Subscribers \u0026 Newsletters",
"vendor": "Icegram",
"versions": [
{
"changes": [
{
"at": "5.9.11",
"status": "unaffected"
}
],
"lessThanOrEqual": "\u003c= 5.9.10",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Ananda Dhakal (Patchstack)"
}
],
"datePublic": "2025-11-21T13:27:31.689Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Deserialization of Untrusted Data vulnerability in Icegram Email Subscribers \u0026 Newsletters email-subscribers allows Object Injection.\u003cp\u003eThis issue affects Email Subscribers \u0026 Newsletters: from n/a through \u003c= 5.9.10.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in Icegram Email Subscribers \u0026 Newsletters email-subscribers allows Object Injection.This issue affects Email Subscribers \u0026 Newsletters: from n/a through \u003c= 5.9.10."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "Object Injection"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-21T12:29:53.666Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/email-subscribers/vulnerability/wordpress-email-subscribers-newsletters-plugin-5-9-10-php-object-injection-vulnerability?_s_id=cve"
}
],
"title": "WordPress Email Subscribers \u0026 Newsletters plugin \u003c= 5.9.10 - PHP Object Injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-66055",
"datePublished": "2025-11-21T12:29:53.666Z",
"dateReserved": "2025-11-21T11:20:39.725Z",
"dateUpdated": "2025-11-21T14:26:56.725Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-12349 (GCVE-0-2025-12349)
Vulnerability from cvelistv5
Published
2025-11-19 04:28
Modified
2025-11-19 20:10
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-306 - Missing Authentication for Critical Function
Summary
The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `trigger_mailing_queue_sending` function. This makes it possible for unauthenticated attackers to force immediate email sending, bypass the schedule, increase server load, and change plugin state (e.g., last-cron-hit), enabling abuse or DoS-like effects.
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| icegram | Email Subscribers & Newsletters – Powerful Email Marketing, Post Notification & Newsletter Plugin for WordPress & WooCommerce |
Version: * ≤ 5.9.10 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-12349",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-11-19T20:10:16.949251Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T20:10:33.978Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Email Subscribers \u0026 Newsletters \u2013 Powerful Email Marketing, Post Notification \u0026 Newsletter Plugin for WordPress \u0026 WooCommerce",
"vendor": "icegram",
"versions": [
{
"lessThanOrEqual": "5.9.10",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Adrian Lukita"
}
],
"descriptions": [
{
"lang": "en",
"value": "The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `trigger_mailing_queue_sending` function. This makes it possible for unauthenticated attackers to force immediate email sending, bypass the schedule, increase server load, and change plugin state (e.g., last-cron-hit), enabling abuse or DoS-like effects."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-306",
"description": "CWE-306 Missing Authentication for Critical Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-19T04:28:18.783Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0b4cbe21-9f1b-425b-8141-ae075baaf717?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L54"
},
{
"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L1132"
},
{
"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3394838%40email-subscribers%2Ftrunk\u0026old=3393565%40email-subscribers%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
}
],
"timeline": [
{
"lang": "en",
"time": "2025-11-18T16:15:48.000+00:00",
"value": "Disclosed"
}
],
"title": "Email Subscribers \u0026 Newsletters \u003c= 5.9.10 - Missing Authentication to Unauthenticated Mailing Queue Trigger"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-12349",
"datePublished": "2025-11-19T04:28:18.783Z",
"dateReserved": "2025-10-27T14:22:50.164Z",
"dateUpdated": "2025-11-19T20:10:33.978Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-49917 (GCVE-0-2025-49917)
Vulnerability from cvelistv5
Published
2025-10-22 14:32
Modified
2025-11-13 10:33
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Summary
Server-Side Request Forgery (SSRF) vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Server Side Request Forgery.This issue affects Icegram Express Pro: from n/a through <= 5.9.5.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Icegram | Icegram Express Pro |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 4.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-49917",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-23T14:23:34.484297Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-23T14:23:41.190Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "email-subscribers-premium",
"product": "Icegram Express Pro",
"vendor": "Icegram",
"versions": [
{
"changes": [
{
"at": "5.9.6",
"status": "unaffected"
}
],
"lessThanOrEqual": "\u003c= 5.9.5",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "theviper17 (Patchstack Alliance)"
}
],
"datePublic": "2025-10-22T15:52:37.671Z",
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Server-Side Request Forgery (SSRF) vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Server Side Request Forgery.\u003cp\u003eThis issue affects Icegram Express Pro: from n/a through \u003c= 5.9.5.\u003c/p\u003e"
}
],
"value": "Server-Side Request Forgery (SSRF) vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Server Side Request Forgery.This issue affects Icegram Express Pro: from n/a through \u003c= 5.9.5."
}
],
"impacts": [
{
"capecId": "CAPEC-664",
"descriptions": [
{
"lang": "en",
"value": "Server Side Request Forgery"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-11-13T10:33:41.186Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://vdp.patchstack.com/database/Wordpress/Plugin/email-subscribers-premium/vulnerability/wordpress-icegram-express-pro-plugin-5-9-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve"
}
],
"title": "WordPress Icegram Express Pro plugin \u003c= 5.9.5 - Server Side Request Forgery (SSRF) vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-49917",
"datePublished": "2025-10-22T14:32:12.630Z",
"dateReserved": "2025-06-11T16:06:59.982Z",
"dateUpdated": "2025-11-13T10:33:41.186Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}