WordPress Plugin Vulnerabilities

Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce < 5.7.35 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure

Description

The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'preview_email_template_design' function in all versions up to, and including, 5.7.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including the content of private, password protected, pending, and draft posts and pages.

Affects Plugins

Plugin icon
email-subscribers
Fixed in 5.7.35

References

CVE
CVE-2024-8771
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f9d90717-fd48-493b-9293-32976bf2cada

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Michelle Porter
Verified
No
WPVDB ID
04a679d2-a01e-405c-bb94-40355b334f6b

Timeline

Publicly Published
2024-09-25 (about 1 year ago)
Added
2024-09-26 (about 1 year ago)
Last Updated
2024-09-26 (about 1 year ago)

Other

Published
Title
Published
2024-12-10
Title
Woffice < 5.4.15 - Unauthenticated Privilege Escalation
Published
2022-10-31
Title
miniOrange's Google Authenticator < 5.6.2 - Subscriber+ Settings Update
Published
2023-09-06
Title
rtMedia for WordPress, BuddyPress and bbPress < 4.6.15 - Missing Authorization via export_settings
Published
2024-08-21
Title
Image Optimizer, Resizer and CDN – Sirv < 7.2.8 - Missing Authorization to Authenticated (Contributor+) Arbitrary File Upload
Published
2025-11-04
Title
CoSchedule < 3.4.1 - Missing Authorization