CVE-2026-1651
Description
The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the 'workflow_ids' parameter in all versions up to, and including, 5.9.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
SQL injection vulnerability in Email Subscribers by Icegram Express allows admin-level attackers to extract sensitive database information via the 'workflow_ids' parameter.
Vulnerability
Details The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL injection in all versions up to and including 5.9.16. The flaw resides in the update_status() function within /lite/includes/workflows/db/class-es-db-workflows.php. The workflow_ids parameter is passed through esc_sql(), which only escapes quotes and backslashes, but is insufficient for SQL injection in an IN clause context where numeric values do not require quotes. This allows authenticated attackers with administrator-level access to inject arbitrary SQL queries.
Exploitation
An attacker with administrator privileges can supply a malicious value for workflow_ids via the WordPress admin interface. The insufficient sanitization permits the injection of additional SQL statements into the existing query. No network-level authentication is required beyond the admin session, and the attacker can exploit this remotely.
Impact
Successful exploitation enables the attacker to extract sensitive information from the database, such as user credentials, email lists, and other private data. The CVSS score for this vulnerability is 6.5 (Medium) in the original CVE, though the reference rates it as 7.2 (High) under CVSS:3.1 [1].
Mitigation
Users should update to a patched version if available. The vendor has not yet released a fix addressing the flaw in version 5.9.16 and earlier. Until a patch is applied, administrators should limit access to trusted users and review any custom modifications.
AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <=5.9.16
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- downloads.wordpress.org/plugin/email-subscribers.5.9.15.zipnvd
- gist.github.com/stevenyu113228/6c5c3f660e6dc739768842c051028f40nvd
- plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.15/lite/includes/workflows/db/class-es-db-workflows.phpnvd
- plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/includes/workflows/db/class-es-db-workflows.phpnvd
- plugins.trac.wordpress.org/changeset/3464881/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/d8dc995d-912e-4d83-84cc-c99242022b82nvd
News mentions
0No linked articles in our index yet.