Unauthenticated SQL Injection Vulnerability Patched in Email Subscribers by Icegram Express WordPress Plugin

On March 25th, 2024, during the second Wordfence Bug Bounty Extravaganza, a submission was received for an unauthenticated SQL Injection vulnerability in Email Subscribers by Icegram Express, a WordPress plugin with more than 90,000 active installations. This vulnerability can be leveraged to extract sensitive data from the database, such as password hashes.

Props to Arkadiusz Hydzik who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $1,250.00 for this discovery during our Bug Bounty Program Extravaganza.

All Wordfence users are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in SQL Injection protection.

Wordfence contacted the Icegram Team regarding a separate vulnerability on March 21, 2024, and received a response on the same day. After providing full disclosure details about this vulnerability on March 25, 2024, the developer released a patch on March 27, 2024. We would like to commend the Icegram Team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Email Subscribers by Icegram Express, which is version 5.7.15, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/04/1250-bounty-awarded-for-unauthenticated-sql-injection-vulnerability-patched-in-email-subscribers-by-icegram-express-wordpress-plugin

Posted in Vulnerability.