CVE-2024-5756
📋 TL;DR
This vulnerability allows unauthenticated attackers to perform time-based SQL injection attacks against the Email Subscribers WordPress plugin. Attackers can extract sensitive information from the database by injecting malicious SQL queries through the db parameter. All WordPress sites using vulnerable versions of this plugin are affected.
💻 Affected Systems
- Email Subscribers by Icegram Express WordPress Plugin
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete database compromise including extraction of user credentials, personal data, email lists, and potentially WordPress admin credentials leading to full site takeover.
Likely Case
Extraction of email subscriber lists, user data, and potentially other sensitive information stored in the database.
If Mitigated
Limited information disclosure if database permissions are properly restricted and sensitive data is encrypted.
🎯 Exploit Status
Time-based SQL injection requires more sophisticated exploitation than boolean-based but is still relatively straightforward for attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.7.24 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3101638/email-subscribers/trunk/lite/includes/db/class-es-db-contacts.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find 'Email Subscribers by Icegram Express'. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.7.24+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Temporary Plugin Deactivation
allDisable the vulnerable plugin until patched
wp plugin deactivate email-subscribers
WAF Rule Implementation
allBlock SQL injection attempts targeting the db parameter
# Configure WAF to block requests containing SQL injection patterns in db parameter
🧯 If You Can't Patch
- Implement a web application firewall (WAF) with SQL injection protection rules
- Restrict database user permissions to limit potential data exposure
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Email Subscribers version. If version is 5.7.23 or lower, you are vulnerable.Check Version:
wp plugin get email-subscribers --field=versionVerify Fix Applied:
Verify plugin version is 5.7.24 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual database queries with time delays
- Multiple requests to plugin endpoints with SQL-like patterns in parameters
- Database error logs showing SQL syntax errors
Network Indicators:
- HTTP requests containing SQL keywords (SLEEP, WAITFOR, BENCHMARK) in db parameter
- Unusual traffic patterns to plugin endpoints
SIEM Query:
source="web_logs" AND (uri_path="/wp-content/plugins/email-subscribers/" OR user_agent CONTAINS "Email Subscribers") AND (request_params CONTAINS "SLEEP" OR request_params CONTAINS "WAITFOR" OR request_params CONTAINS "BENCHMARK")🔗 References
- https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/includes/db/class-es-db-contacts.php#L532
- https://plugins.trac.wordpress.org/changeset/3101638/email-subscribers/trunk/lite/includes/db/class-es-db-contacts.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c5bd11c6-2f55-4eee-834a-c4e405482b9c?source=cve
- https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/includes/db/class-es-db-contacts.php#L532
- https://plugins.trac.wordpress.org/changeset/3101638/email-subscribers/trunk/lite/includes/db/class-es-db-contacts.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c5bd11c6-2f55-4eee-834a-c4e405482b9c?source=cve
