CVE-2025-12348
📋 TL;DR
This vulnerability allows unauthenticated attackers to execute scheduled actions in the Icegram Express WordPress plugin by guessing action IDs. This could trigger email sends, maintenance tasks, or other privileged operations without authorization. WordPress sites using vulnerable plugin versions are affected.
💻 Affected Systems
- Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could trigger mass email campaigns, exhaust server resources through repeated task execution, or manipulate plugin data causing service disruption.
Likely Case
Unauthorized email sends, unexpected maintenance tasks running, and increased server resource usage from repeated action execution.
If Mitigated
Limited impact with proper network controls and monitoring, but still represents an authentication bypass vulnerability.
🎯 Exploit Status
Exploitation requires guessing action IDs, which may be predictable depending on implementation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.9.11 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3394838/email-subscribers/trunk/lite/includes/classes/class-ig-es-background-process-helper.php
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Icegram Express plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.9.11+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable vulnerable endpoint via .htaccess
linuxBlock access to the vulnerable function endpoint
# Add to .htaccess in WordPress root directory
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} action=run_action_scheduler_task [NC]
RewriteRule .* - [F,L]
</IfModule>
🧯 If You Can't Patch
- Temporarily disable the Icegram Express plugin until patching is possible
- Implement web application firewall rules to block requests containing 'run_action_scheduler_task' parameter
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Icegram Express version. If version is 5.9.10 or lower, system is vulnerable.Check Version:
wp plugin list --name='Icegram Express' --field=versionVerify Fix Applied:
Verify plugin version is 5.9.11 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to WordPress with 'action=run_action_scheduler_task' parameter
- Spike in email sending activity from WordPress
- Increased server resource usage from plugin tasks
Network Indicators:
- HTTP requests containing 'run_action_scheduler_task' from unexpected IP addresses
SIEM Query:
source="wordpress_access.log" AND "run_action_scheduler_task" AND NOT user_agent="WordPress/*"🔗 References
- https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L50
- https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-ig-es-background-process-helper.php#L194
- https://plugins.trac.wordpress.org/changeset/3394838/email-subscribers/trunk/lite/includes/classes/class-ig-es-background-process-helper.php
- https://www.wordfence.com/threat-intel/vulnerabilities/id/c6ba7244-0ecf-412f-9b8b-6b81fa6cdeb5?source=cve
