Email Subscribers by Icegram Express < 5.7.20 – Missing Authorization in handle_ajax_request | CVE 2024-4010 | Plugin Vulnerabilities

Description

The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to unauthorized access of data, modification of data, and loss of data due to a missing capability check on the handle_ajax_request function in all versions up to, and including, 5.7.19. This makes it possible for authenticated attackers, with subscriber-level access and above, to cause a loss of confidentiality, integrity, and availability, by performing multiple unauthorized actions. Some of these actions could also be leveraged to conduct PHP Object Injection and SQL Injection attacks.

Affects Plugins

email-subscribers

Fixed in 5.7.20

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/23bfcdd1-b99d-47eb-9f88-96f9ecc53b32

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Arkadiusz Hydzik

Verified

No

WPVDB ID

e9197602-9290-444a-84ab-8af8902c51b7

Timeline

Publicly Published

2024-05-14 (about 1 year ago)

Added

2024-05-14 (about 1 year ago)

Last Updated

2024-05-14 (about 1 year ago)

Other

Published

Title

Published

2024-04-25

Title

XStore Core <= 5.3.5 - Missing Authorization

Published

2025-06-04

Title

Team Builder <= 1.5.7 - Missing Authorization

Published

2025-12-31

Title

Reuters Direct <= 3.0.0 - Missing Authorization

Published

2024-08-16

Title

Presto Player < 3.0.3 - Missing Authorization

Published

2025-01-06

Title

Hive Support – WordPress Help Desk < 1.1.7 - Missing Authorization