CVE-2024-4295 Scanner
CVE-2024-4295 scanner - SQL Injection vulnerability in Email Subscribers by Icegram Express
Short Info
Level
Critical
Single Scan
Single Scan
Can be used by
Asset Owner
Estimated Time
10 seconds
Time Interval
4 weeks
Scan only one
Domain, IPv4
Toolbox
-
The Email Subscribers plugin by Icegram Express is widely used by WordPress site owners to manage newsletter subscriptions and communication with users. It is popular for handling large email lists and automating campaigns. Web developers and digital marketers frequently use this plugin. It is designed for easy integration into websites, making it accessible to non-technical users. This plugin is especially useful for eCommerce platforms, bloggers, and business websites to engage with subscribers.
The vulnerability allows unauthenticated attackers to inject SQL commands through a hash parameter in the subscription process. This can be exploited by malicious users to access sensitive database information. Attackers can manipulate database queries and potentially extract or alter confidential data. The flaw is present in versions up to 5.7.20 of the plugin.
The vulnerable endpoint is triggered when handling the subscription opt-in process, specifically through the hash parameter passed in the request. Attackers can modify the hash
parameter to include additional SQL statements, which the system processes without proper sanitization. The injection occurs due to the lack of input validation in the handling of this parameter. The attacker does not need prior authentication to exploit this flaw. The vulnerable parameter is the hash
included in the URL when an email subscription is confirmed.
If exploited, attackers can extract sensitive information, such as user emails, passwords, and other confidential data from the database. This could lead to unauthorized access, data leakage, or further escalation within the target system. In severe cases, attackers could modify or delete critical database records, causing significant damage to the website's functionality.
By using the S4E platform, users can safeguard their digital assets with continuous monitoring for vulnerabilities like SQL Injection in popular plugins like Email Subscribers by Icegram. The platform provides real-time alerts, comprehensive reports, and actionable remediation guidance to keep your website secure. Our automated security checks help prevent data breaches and ensure compliance with industry standards, protecting your business from cyber threats.
References: