CVE-2023-5414 - How Icegram Express Directory Traversal Lets WordPress Admins Read Sensitive Files (with Exploit Example)

---

If you run a WordPress site and use the Icegram Express plugin, you should know about a nasty security issue: CVE-2023-5414. This bug lets admin-level users read any file their web server has access to, even files from other websites, thanks to a vulnerability in the plugin’s show_es_logs function. Here’s a deep dive into what’s going on, how attackers can exploit it, and what you should do.

What is CVE-2023-5414?

This vulnerability exists in Icegram Express (previously Email Subscribers & Newsletters), a popular plugin for managing email lists and sending newsletters through WordPress. Versions *up to and including 5.6.23* are affected.

Vulnerability type: Directory Traversal
Vulnerable Function: show_es_logs
Risk: Admin users can read arbitrary server files

Original Report:
- WPScan Report
- NVD CPE Record

How Does Directory Traversal Work Here?

Directory traversal is a bug where users can give paths like ../../etc/passwd and the app opens that file, even if it shouldn’t. The show_es_logs function in Icegram Express does not validate the file path it’s served well enough, letting attackers (with admin rights) escape the intended log directory and read arbitrary files.

If you're on shared hosting and your files hold sensitive stuff (config files, database credentials, or even files from other WordPress installs), all are at risk.

Impact

- An attacker *with admin privileges* (or anyone able to trick an admin into clicking a malicious link if CSRF applies) can:

Access sensitive WordPress configuration files (wp-config.php)

- Access system files (/etc/passwd, Windows equivalents, etc)

Read files of other websites on the same server

This could lead to full site compromise or leaking of sensitive database credentials.

Vulnerable Code Walkthrough

Disclaimer: The following is a simplified version for educational purposes and should *not* be used maliciously.

function show_es_logs() {
    $file = isset($_GET['file']) ? $_GET['file'] : 'default.log';
    $log_dir = ES_PATH . '/logs/';
    $file_path = $log_dir . $file;
    if (file_exists($file_path)) {
        readfile($file_path);
    }
}

There’s no sanitization — so you can supply ../../../wp-config.php as the file parameter to escape the intended logs folder and grab the configuration file.

Exploit Example

Let’s say your WordPress admin panel is at:
https://yoursite.com/wp-admin/

Try browsing (replace with your real site URL)

https://yoursite.com/wp-admin/admin.php?page=icegram_express_logs&file=../../../wp-config.php

- file=../../../wp-config.php tricks the plugin into reading the wp-config.php file instead of a regular log.
- You can try even more traversal steps (../../../../otherdir/file.txt) to reach files stored elsewhere.

Result:
The contents of wp-config.php, possibly visible in your browser, including your DB credentials and security keys.

Responsible Fixes & Mitigations

Upgrade Immediately:
Icegram patched this bug in version 5.6.24.
- Icegram Express Changelog

Run composer update or update via your WordPress dashboard now.

Defensive Coding Practice:

Validate and sanitize user input! A patched function might look like

$file = basename($_GET['file']);
$log_dir = ES_PATH . '/logs/';
$file_path = realpath($log_dir . $file);

if (strpos($file_path, realpath($log_dir)) ===  && file_exists($file_path)) {
    readfile($file_path);
}

This ensures the read path stays within the log directory.

Is This a “Big Deal”?

Yes. While this is *not* directly accessible to non-admins, WordPress is often shared among multiple users, and plugins occasionally grant accidental extra privileges. *Plus, attackers who gain admin access through social engineering or other vulnerabilities often chain bugs like this for total compromise.*

Official resources & further reading

- Original Advisory at WPScan
- Icegram Plugin on WordPress.org
- NVD Listing

Final Words

If you’re running Icegram Express ≤ 5.6.23, update *right now*. Directory traversal lets admin-level users poke into files you never meant to share — a huge risk on shared servers! Always keep your plugins updated, and be wary of extra admin users.

Timeline

Published on: 10/20/2023 07:15:17 UTC
Last modified on: 11/07/2023 04:23:58 UTC