A critical vulnerability has been identified in the Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress. This vulnerability (CVE-2024-3626) allows unauthorized access of data in all versions up to, and including, 5.7.17 of the plugin. As a result, authenticated attackers, with subscriber access and above, can gain access to the contents of private and password-protected posts. This article will detail the exploit, code snippets, and reference links associated with this vulnerability.

Vulnerability Details

The vulnerability exists due to a missing capability check in the get_template_content function of the plugin. The issue lies in the lack of proper authentication and permission checks, which could lead to sensitive details of a WordPress site getting compromised. The vulnerability allows attackers to read private posts and password-protected content, bypassing the default restrictions WordPress offers.

Here's a code snippet from the affected get_template_content function

function get_template_content( $template_id ) {
    global $wpdb;
    $template = $wpdb->get_row( $wpdb->prepare( "SELECT * FROM {Template_Table} WHERE id = %d", $template_id ), ARRAY_A );
    return ! empty( $template ) ? stripslashes_deep( $template ) : false;
}

As you can see, the get_template_content function does not implement an adequate capability check, which paves the way for unauthorized access to the template content.

Exploit

To exploit this vulnerability, an attacker needs to be an authenticated user on the website with at least subscriber-level access. Here's a set of steps an attacker could follow to potentially exploit this vulnerability:

Extract sensitive content from private and password-protected posts.

The following is an example of an AJAX request that an attacker could send to exploit this vulnerability:

POST /wp-admin/admin-ajax.php HTTP/1.1
Host: vulnerable-wp.example.com
Content-Type: application/x-www-form-urlencoded

action=ig_es_get_template_content&template_id=TARGET_TEMPLATE_ID&security=SECURITY_NONCE

Remediation

Updating the plugin to version 5.7.18 or later addresses the vulnerability and is highly recommended. The plugin developers have added the needed capability check to the affected function in version 5.7.18.

Original References

The vulnerability was initially reported by Wordfence. More information about this vulnerability can be found at the following links:

1. Wordfence Report
2. CVE-2024-3626
3. Plugin Homepage

Conclusion

The unauthorized access of data vulnerability (CVE-2024-3626) in the Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin underscores the importance of regularly updating WordPress plugins and ensuring proper security measures are in place. Users are advised to update the plugin to version 5.7.18 or later to safeguard their website.

Timeline

Published on: 05/23/2024 06:15:10 UTC
Last modified on: 05/24/2024 01:15:30 UTC