CVE-2024-11636
📋 TL;DR
This vulnerability allows high-privilege WordPress users (like administrators) to inject malicious scripts into Text Block options in the Email Subscribers by Icegram Express plugin. The stored XSS payload executes when other users view affected pages, even in multisite setups where unfiltered_html is normally restricted. Only WordPress sites using vulnerable versions of this specific plugin are affected.
💻 Affected Systems
- Email Subscribers by Icegram Express WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker with admin privileges could steal session cookies, redirect users to malicious sites, or perform actions on behalf of other users, potentially compromising the entire WordPress site.
Likely Case
Malicious admin could embed JavaScript that steals credentials or performs unauthorized actions when other administrators or editors view plugin settings pages.
If Mitigated
With proper user access controls and admin vetting, impact is limited to trusted administrators who shouldn't be attacking their own sites.
🎯 Exploit Status
Exploitation requires admin-level access. Attack is straightforward once authenticated with sufficient privileges.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.7.45
Vendor Advisory: https://wpscan.com/vulnerability/da616c20-3d74-4d3a-95f5-2d71d9ada094/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Email Subscribers by Icegram Express'. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 5.7.45+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Remove vulnerable plugin
allTemporarily disable or remove the plugin until patched
wp plugin deactivate email-subscribers
wp plugin delete email-subscribers
Restrict admin access
allLimit number of users with admin privileges and implement strict access controls
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Use web application firewall (WAF) rules to detect and block XSS payloads in plugin parameters
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Email Subscribers by Icegram Express → Version numberCheck Version:
wp plugin get email-subscribers --field=versionVerify Fix Applied:
Verify plugin version is 5.7.45 or higher in WordPress admin panel📡 Detection & Monitoring
Log Indicators:
- Unusual admin user activity modifying plugin settings
- Multiple failed login attempts followed by successful admin login
Network Indicators:
- HTTP POST requests to /wp-admin/admin.php?page=es_settings with suspicious script tags in parameters
SIEM Query:
source="wordpress.log" AND ("es_settings" OR "email-subscribers") AND ("script" OR "javascript" OR "onload" OR "onerror")