WordPress Plugin Vulnerabilities

Email Subscribers & Newsletters < 4.1.8 - SQL Injection

Description

A SQL injection vulnerability exists in the Icegram Email Subscribers & Newsletters plugin through 4.1.7 for WordPress. Successful exploitation of this vulnerability would allow a remote attacker to execute arbitrary SQL commands on the affected system.

Affects Plugins

Plugin icon
email-subscribers
Fixed in 4.1.8

References

CVE
CVE-2019-13569
URL
https://fortiguard.com/zeroday/FG-VD-19-095
URL
https://www.fortinet.com/blog/threat-research/wordpress-plugin-sql-injection-vulnerability.html
URL
https://plugins.trac.wordpress.org/changeset/2124040/email-subscribers

Classification

Type
SQLI
OWASP top 10
A1: Injection
CWE
CWE-89
CVSS
8.3 (high)

Miscellaneous

Original Researcher
Tin Duong of Fortinet’s FortiGuard Labs, WordPress Plugin Review Team & Ihor Voschyk
Verified
No
WPVDB ID
2955922b-4946-4f83-adfd-584ad08eafa5

Timeline

Publicly Published
2019-07-22 (about 6 years ago)
Added
2019-07-22 (about 6 years ago)
Last Updated
2020-08-07 (about 5 years ago)

Other

Published
Title
Published
2015-04-21
Title
NEX-Forms - Ultimate Form builder <= 3.0 - SQL Injection
Published
2025-06-19
Title
AutomatorWP < 5.2.5 - Authenticated (Administrator+) SQL Injection
Published
2024-12-02
Title
Product Labels For Woocommerce < 1.5.9 - Authenticated (Administrator+) SQL Injection
Published
2025-07-16
Title
YayExtra < 1.5.6 - Authenticated (Administrator+) SQL Injection
Published
2015-04-14
Title
WP Symposium < 15.4 - SQL Injection