CVE-2025-12349
📋 TL;DR
The Icegram Express WordPress plugin has an authorization bypass vulnerability that allows unauthenticated attackers to trigger immediate email sending, bypass scheduled mailings, and modify plugin state. This can lead to server resource exhaustion, email abuse, and denial-of-service effects. WordPress sites using the plugin version 5.9.10 or earlier are affected.
💻 Affected Systems
- Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Unlimited email sending causing server overload, email service abuse, and potential plugin state corruption leading to service disruption.
Likely Case
Unauthorized email blasts increasing server load, bypassing scheduled mailings, and potential minor service disruption.
If Mitigated
Limited impact with proper rate limiting and monitoring, but still unauthorized email sending capability.
🎯 Exploit Status
The vulnerability is in a publicly accessible function with no authentication checks, making exploitation trivial.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.9.11 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins. 3. Find Icegram Express plugin. 4. Click 'Update Now' if available. 5. Alternatively, download version 5.9.11+ from WordPress repository and manually update.
🔧 Temporary Workarounds
Disable Plugin
allTemporarily disable the vulnerable plugin until patched.
wp plugin deactivate email-subscribers
Web Application Firewall Rule
allBlock access to the vulnerable endpoint via WAF.
Block POST requests to */wp-admin/admin-ajax.php* with action=trigger_mailing_queue_sending
🧯 If You Can't Patch
- Implement strict rate limiting on the WordPress admin-ajax.php endpoint
- Monitor server logs for unusual email sending activity and plugin state changes
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel > Plugins > Icegram Express version. If version is 5.9.10 or lower, you are vulnerable.Check Version:
wp plugin get email-subscribers --field=versionVerify Fix Applied:
Verify plugin version is 5.9.11 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to admin-ajax.php with action=trigger_mailing_queue_sending
- Sudden spikes in email sending activity
- Unexpected changes to plugin cron settings
Network Indicators:
- High volume of outbound SMTP traffic from WordPress server
- Repeated POST requests to admin-ajax.php endpoint
SIEM Query:
source="wordpress.log" AND "trigger_mailing_queue_sending" AND NOT (user_agent="WordPress/*" OR user="admin")🔗 References
- https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L1132
- https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L54
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394838%40email-subscribers%2Ftrunk&old=3393565%40email-subscribers%2Ftrunk&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0b4cbe21-9f1b-425b-8141-ae075baaf717?source=cve
