Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce <= 5.7.34 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure

Vulnerability

The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 5.7.34. The root cause is a missing capability check on the preview_email_template_design function, which fails to enforce proper authorization before processing requests. This allows authenticated attackers to retrieve sensitive content from private, password-protected, pending, and draft posts and pages.

Exploitation

To exploit this vulnerability, an attacker must have a valid WordPress account with at least Subscriber-level access. No additional privileges or special conditions are required. The attacker can send a crafted request to the vulnerable preview_email_template_design function, which will return the content of restricted posts and pages without proper permission validation.

Impact

Successful exploitation enables an attacker to extract the full content of private, password-protected, pending, and draft posts and pages. This leads to information disclosure of potentially sensitive data, including unpublished content, draft revisions, or password-protected material. The attacker does not need to be logged in as an administrator or editor; any authenticated user with Subscriber-level or higher access can perform this attack.

Mitigation

The vendor has released version 5.9.24 of the plugin (last updated 2026-05-13), which includes a fix for this vulnerability. Users should update to version 5.9.24 or later immediately [1]. There are no known workarounds for unpatched versions; applying the update is the only mitigation. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.