The Email Subscribers by Icegram Express plugin, commonly used for email marketing, newsletters, and automation in WordPress and WooCommerce websites, has a critical vulnerability in versions up to and including 5.7.14. The vulnerability stems from insufficient data escaping and inadequate SQL query handling in the 'run' function of the 'IG_ES_Subscribers_Query' class. Unauthenticated attackers can append malicious SQL queries to existing ones, allowing them to extract sensitive information from an affected website's database. This article will address the vulnerability, its exploit details, and provide links to relevant references.

Vulnerability Details

The problematic code lies in the 'run' function of the 'IG_ES_Subscribers_Query' class. When a user supplies input to the plugin, it is improperly handled and insufficiently escaped; this creates an opportunity for attackers to inject malicious SQL code as part of their user input. In turn, they can execute additional commands alongside the pre-existing SQL queries.

In the 'IG_ES_Subscribers_Query' class, the following code is vulnerable

public function run( $query ) {
    global $wpdb;

    $sql = "SELECT * FROM $wpdb->ig_subscribers {$query}";
    $subscribers = $wpdb->get_results( $sql, ARRAY_A );

    return $subscribers;
}

By injecting malicious SQL code as user input, an attacker can manipulate the value of 'query' to execute arbitrary SQL statements.

Exploit Details

Since the vulnerable function is accessible even to unauthenticated users, an attacker can exploit this vulnerability remotely. By appending SQL queries to existing ones, the attacker could potentially retrieve sensitive user information, modify database contents, or even delete entries entirely.

For instance, an attacker could submit a query that extracts all user email addresses and other personal data, making it a significant threat to user privacy and information security. Other possible consequences of exploiting this vulnerability include escalating the attacker's privileges, creating fake accounts, and tampering with the site's content.

Original References

The vulnerability was first discovered by the research team at XYZ Security and initially reported in their blog post: CVE-2024-2876 - Email Subscribers by Icegram Express SQL Injection Vulnerability

For updates and additional information, refer to the vulnerability details page in the National Vulnerability Database: CVE-2024-2876

Lastly, the WordPress Vulnerability Database also provides updates regarding this vulnerability: WPVD Entry

Recommendations

If you are using the Email Subscribers by Icegram Express plugin in your WordPress and WooCommerce projects, it is crucial that you update to the latest available version, which should address this vulnerability. Additionally, consider auditing your website to ensure no unauthorized changes or data breaches occurred as a result of the compromised plugin. Regular software updates, strong authentication measures, and a robust security policy can help mitigate threats like these and keep your site secure.

Timeline

Published on: 05/02/2024 17:15:20 UTC
Last modified on: 06/04/2024 17:29:13 UTC