CVE-2024-4845 – The Icegram Express WordPress plugin contains a... (How to Fix)

📋 TL;DR

The Icegram Express WordPress plugin contains a SQL injection vulnerability that allows authenticated attackers with Subscriber-level access or higher to execute arbitrary SQL queries. This can lead to extraction of sensitive data from the database, including user credentials and other confidential information. All WordPress sites using vulnerable versions of this plugin are affected.

💻 Affected Systems

Products:

Icegram Express (formerly Email Subscribers & Newsletters)

Versions: All versions up to and including 5.7.22

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with the vulnerable plugin enabled. Attackers need at least Subscriber-level WordPress authentication.

📦 What is this software?

Icegram Express by Icegram

View all CVEs affecting Icegram Express →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise leading to credential theft, data exfiltration, privilege escalation, and potential site takeover.

🟠

Likely Case

Extraction of sensitive user data, email lists, and potentially administrator credentials from the database.

🟢

If Mitigated

Limited impact if proper input validation and prepared statements are implemented, with only authorized data access possible.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires authenticated access but is technically simple once authentication is obtained. The vulnerability is in a widely used plugin making it an attractive target.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.7.23 and later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3098321/email-subscribers

Restart Required: No

Instructions:

1. Log into WordPress admin panel
2. Navigate to Plugins > Installed Plugins
3. Find Icegram Express plugin
4. Click 'Update Now' if update is available
5. Alternatively, download version 5.7.23+ from WordPress repository and manually update

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the vulnerable plugin until patched

wp plugin deactivate email-subscribers

WAF Rule Implementation

all

Add SQL injection protection rules to web application firewall

🧯 If You Can't Patch

Restrict user registration and limit Subscriber-level accounts to trusted users only
Implement network segmentation to isolate WordPress installation from sensitive databases

🔍 How to Verify

Check if Vulnerable:

Check plugin version in WordPress admin under Plugins > Installed Plugins. If version is 5.7.22 or lower, you are vulnerable.

Check Version:

wp plugin get email-subscribers --field=version

Verify Fix Applied:

Verify plugin version is 5.7.23 or higher after update. Test the 'options[list_id]' parameter functionality to ensure proper input validation.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed authentication attempts followed by SQL-like payloads in web logs
Unexpected database connections from WordPress application server

Network Indicators:

SQL injection payloads in HTTP POST parameters
Unusual database query patterns from WordPress host

SIEM Query:

source="web_logs" AND ("options[list_id]" AND ("UNION" OR "SELECT" OR "INSERT" OR "UPDATE" OR "DELETE"))

📊 Metadata

CVE ID: CVE-2024-4845

CVSS v3 Score: 8.8 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-89

Published: June 12, 2024

Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-4845, you might also want to check these: