This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Critical SQL Injection (SQLi) in WordPress Plugin 'Email Subscribers'. π₯ **Consequences**: Attackers can append malicious SQL queries.β¦
π‘οΈ **Root Cause**: CWE-89 (SQL Injection). π **Flaw**: Insufficient escaping of user-supplied parameters in the `run` function of the `IG_ES_Subscribers_Query` class.β¦
π¦ **Affected**: WordPress Plugin: **Email Subscribers & Newsletters** by Icegram. π **Versions**: All versions up to and including **5.7.14**. π **Scope**: Over 90,000 websites potentially at risk.
Q4What can hackers do? (Privileges/Data)
π΅οΈ **Attacker Actions**: Unauthenticated attackers can execute arbitrary SQL. π **Impact**: Extract sensitive info (user creds, emails), modify/delete data, or gain administrative control.β¦
β‘ **Threshold**: LOW. π **Auth**: **Unauthenticated**. No login required. βοΈ **Config**: Low complexity (AC:L). Easy to exploit remotely.
Q6Is there a public Exp? (PoC/Wild Exploitation)
π£ **Exploitation**: YES. π **PoCs**: Multiple public Proof-of-Concept scripts available on GitHub (e.g., c0d3zilla, Quantum-Hacker). π **Risk**: Wild exploitation is highly likely given the low barrier to entry.
Q7How to self-check? (Features/Scanning)
π **Self-Check**: Scan for the plugin 'Email Subscribers'. π **Version Check**: Verify if installed version is β€ 5.7.14. π οΈ **Tools**: Use WordPress security scanners or check `wp-content/plugins/email-subscribers/` for β¦
β **Fixed**: YES. π§ **Patch**: Version **5.7.15** and above are patched. π **Reference**: See WordPress Plugin Directory changeset 3060251 for fix details.
Q9What if no patch? (Workaround)
π§ **No Patch?**: Disable the plugin immediately. π **Mitigation**: If active use is critical, implement strict WAF rules to block SQLi payloads in the `IG_ES_Subscribers_Query` endpoint.β¦