CVE-2024-5703
📋 TL;DR
This vulnerability allows authenticated WordPress users with Subscriber-level access or higher to perform unauthorized API operations in the Email Subscribers plugin. Attackers can add, edit, and delete audience users through the plugin's REST API. All WordPress sites using vulnerable versions of the Email Subscribers plugin are affected.
💻 Affected Systems
- Email Subscribers by Icegram Express WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
An attacker could completely compromise the email marketing database, deleting all subscribers, adding malicious users, or modifying legitimate subscriber data, potentially leading to data loss, unauthorized email campaigns, or compliance violations.
Likely Case
Attackers with subscriber accounts could manipulate the email subscriber list, potentially adding spam email addresses, modifying legitimate subscribers, or deleting portions of the audience database.
If Mitigated
With proper access controls and monitoring, impact is limited to minor data manipulation that can be detected and rolled back through backups.
🎯 Exploit Status
Exploitation requires authenticated access but is technically simple - just making API calls that lack proper authorization checks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.7.27 and later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3118326/email-subscribers/trunk/lite/admin/class-es-rest-api-admin.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Email Subscribers & Newsletters'. 4. Click 'Update Now' if available, or download version 5.7.27+ from WordPress.org. 5. Activate the updated plugin.
🔧 Temporary Workarounds
Disable REST API
allTemporarily disable the Email Subscribers REST API to prevent exploitation
Navigate to Email Subscribers → Settings → General → REST API → Set to 'Disabled'
Restrict User Registration
allTemporarily disable new user registration to prevent attackers from obtaining Subscriber accounts
Navigate to Settings → General → Membership → Uncheck 'Anyone can register'
🧯 If You Can't Patch
- Implement strict access controls and monitor all API calls to the Email Subscribers endpoint
- Regularly audit and backup subscriber database, implement change detection alerts
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → Email Subscribers & Newsletters → Version number. If version is 5.7.26 or lower, you are vulnerable.Check Version:
wp plugin list --name='email-subscribers' --field=versionVerify Fix Applied:
Verify plugin version is 5.7.27 or higher in WordPress admin panel, then test API endpoints with Subscriber-level account to ensure proper authorization errors occur.📡 Detection & Monitoring
Log Indicators:
- Unusual API calls to /wp-json/email-subscribers/ endpoints from Subscriber-level users
- Multiple POST/PUT/DELETE requests to subscriber management endpoints
Network Indicators:
- HTTP requests to /wp-json/email-subscribers/v1/* endpoints with subscriber authentication
SIEM Query:
source="wordpress" AND (uri_path="/wp-json/email-subscribers/*" AND http_method IN ("POST", "PUT", "DELETE")) AND user_role="subscriber"🔗 References
- https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/admin/class-es-rest-api-admin.php#L25
- https://plugins.trac.wordpress.org/changeset/3118326/email-subscribers/trunk/lite/admin/class-es-rest-api-admin.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/22283650-36bf-43e5-a57e-a91025fb2af7?source=cve
- https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/admin/class-es-rest-api-admin.php#L25
- https://plugins.trac.wordpress.org/changeset/3118326/email-subscribers/trunk/lite/admin/class-es-rest-api-admin.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/22283650-36bf-43e5-a57e-a91025fb2af7?source=cve
