Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce <= 5.7.34 - Authenticated (Subscriber+) Arbitrary Shortcode Execution

Vulnerability

The Email Subscribers by Icegram Express plugin for WordPress, in all versions up to and including 5.7.34, is vulnerable to arbitrary shortcode execution. This flaw arises because the software allows users to perform an action that does not properly validate a value before passing it to do_shortcode. The vulnerable code path is reachable for authenticated users with Subscriber-level access or higher, without requiring any special configuration beyond the default plugin setup [1].

Exploitation

An attacker needs only a valid WordPress user account with Subscriber-level privileges (the lowest default role) [1]. The exploitation involves sending a crafted request to the vulnerable endpoint that triggers the do_shortcode function with arbitrary shortcode content. No additional user interaction, network position, or race window is required; the attacker can execute the attack directly through the plugin's administrative interface or API actions [1].

Impact

Successful exploitation allows the attacker to execute any WordPress shortcode, including those defined by other plugins or the core system. This can lead to various outcomes depending on available shortcodes, such as arbitrary file read, data disclosure, or remote code execution if a shortcode like [file], [php], or similar is present. The attacker gains the ability to compromise the entire site beyond their intended privileges [1].

Mitigation

The vendor released version 5.7.35 on 2024-10-02 to fix this vulnerability. All existing users should update to 5.7.35 or later immediately. There is no known workaround for sites that cannot update; downgrading or disabling the plugin is the only alternative. This CVE is not listed in KEV as of publication [1].