25 matches found
CVE-2019-13569
The CVE-2019-13569 entry concerns the Icegram Email Subscribers & Newsletters plugin for WordPress, affected through version 4.1.7. The connected sources describe a SQL injection bug caused by improper sanitization of user input, enabling a remote attacker to execute arbitrary SQL commands on the...
CVE-2019-20361
CVE-2019-20361 affects the WordPress plugin Email Subscribers & Newsletters (before 4.3.1). A blind, time-based SQL injection exists via the hash parameter, enabling SQL statements to be passed to the database. Public disclosures and PoCs exist (e.g., Exploit-DB 48699, Metasploit module for a Wor...
CVE-2019-19985
CVE-2019-19985 concerns the WordPress plugin Email Subscribers & Newsletters (before 4.2.3). The issue allows unauthenticated arbitrary file retrieval, enabling file download and user information disclosure. Connections in the provided documents confirm the vulnerability affects versions prior to...
CVE-2024-4295
CVE-2024-4295 affects the WordPress plugin Email Subscribers by Icegram Express . It is an unauthenticated SQL injection via the hash parameter in all versions up to 5.7.20 caused by insufficient escaping and poor SQL query preparation. Exploitation could enable attackers to append additional SQL...
CVE-2019-14364
The CVE-2019-14364 entry describes a Cross-Site Scripting (XSS) vulnerability in the WordPress Email Subscribers & Newsletters plugin version 4.1.6. The issue arises from a malicious input via the esfpx_name parameter on the wp-admin/admin-ajax.php endpoint, exposed through a publicly accessible ...
CVE-2022-0439
CVE-2022-0439 affects the Email Subscribers & Newsletters WordPress plugin prior to 5.3.2. The vulnerability arises from improper escaping of the order and orderby parameters in the ajax_fetch_report_list action, enabling blind SQL injection. CSRF protection is also absent for this action, allowi...
CVE-2019-19981
CVE-2019-19981 affects the WordPress plugin Email Subscribers & Newsletters (before 4.2.3). The vulnerability is a CSRF flaw that can be exploited to impact all plugin settings. Remediation observed in public sources is to update to version 4.2.3 or later. Additional connected feeds note broader ...
CVE-2019-19982
The CVE-2019-19982 entry concerns the WordPress plugin Email Subscribers & Newsletters prior to version 4.2.3 . The vulnerability allows unauthenticated option creation when an attacker sends a request to /wp-admin/admin-post.php?es_skip=1&option_name= , enabling modification of plugin options wi...
CVE-2019-19980
The CVE-2019-19980 entry concerns the WordPress plugin Email Subscribers & Newsletters prior to version 4.2.3. Root cause: the plugin registers a wp_ajax send_test_email function, enabling a privilege-bypass that lets authenticated users (Subscriber and higher) send test emails from the admin das...
CVE-2024-5703
The CVE CVE-2024-5703 affects the WordPress plugin Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce (versions up to 5.7.26). The issue is a missing capability check that permits unauthorized API access to the plugin’s API (if enabled) by ...
CVE-2019-19984
The CVE-2019-19984 entry describes a vulnerability in the WordPress plugin Email Subscribers & Newsletters before version 4.2.3 where users with edit_post privileges could manage plugin settings and email campaigns. The issue is a privilege/AC (access control) weakness allowing low-privilege user...
CVE-2024-6172
CVE-2024-6172 affects the Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin. Root cause: insufficient escaping and inadequate query preparation on the db parameter; enables time-based SQL injection. Affected versions: all up to 5.7....
CVE-2024-31352
CVE-2024-31352 : WordPress plugin Email Subscribers by Icegram Express (Email Subscribers & Newsletters) up to version 5.7.13 is affected by a Missing Authorization vulnerability that allows unauthorized access. Root cause is missing authorization checks. A patch/update beyond 5.7.13 exists; and ...
CVE-2022-3981
The CVE-2022-3981 entry concerns the Icegram Express WordPress plugin prior to version 5.5.1. Affected component: the plugin’s SQL statements, where improper sanitization/escaping of a parameter enables a SQL injection. Root cause: unsanitized input used in SQL queries; impact: high (CVE details ...
CVE-2020-5767
CVE-2020-5767 concerns a cross-site request forgery in the WordPress plugin “Email Subscribers & Newsletters” by Icegram, specifically version 4.4.8. The vulnerability allows a remote attacker to cause the affected WordPress user to send forged emails by tricking them into visiting a crafted link...
CVE-2020-5780
The CVE-2020-5780 entry concerns the WordPress plugin Icegram Email Subscribers & Newsletters. Affected version(s) are prior to 4.5.6, where a vulnerability in the class-es-newsletters.php allows an unauthenticated, remote attacker to forge/spoof emails via an unauthenticated AJAX request to an a...
CVE-2024-8254
CVE-2024-8254 affects the Email Subscribers by Icegram Express for WordPress (
CVE-2024-12311
CVE-2024-12311 affects Icegram Express (Email Subscribers by Icegram Express) for WordPress. The vulnerability is an SQL injection in the plugin’s handling of a parameter that is not properly sanitized/escaped before being used in an SQL statement. This could allow an authenticated admin to manip...
CVE-2020-5768
CVE-2020-5768 targets the WordPress plugin Icegram Email Subscribers & Newsletters (v4.4.8) . The flaw is an authenticated SQL injection in the es_newsletters_settings_callback component, caused by improper sanitization, enabling a remote, logged-in attacker to infer database field values. This a...
CVE-2024-8771
CVE-2024-8771 (Email Subscribers by Icegram Express) : The WordPress plugin versions up to 5.7.34 allow unauthorized data access due to a missing capability check in the preview_email_template_design function. With Subscriber-level access and above, authenticated attackers can extract content fro...
CVE-2018-6015
The CVE-2018-6015 issue affects WordPress Email Subscribers & Newsletters plugin prior to v3.4.8. An attacker can trigger an information-disclosure by sending an HTTP POST to a URI ending with /?es=export and including option=view_all_subscribers in the body, which allows downloading a CSV contai...
CVE-2024-11636
CVE-2024-11636 affects the Email Subscribers by Icegram Express WordPress plugin prior to 5.7.45. The issue is that certain Text Block options are not properly sanitised/escaped, enabling Stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disallowed (such as in multisi...
CVE-2024-12566
CVE-2024-12566 affects the WordPress plugin Icegram Express (formerly Email Subscribers) for versions before 5.7.45. The issue is an admin+ stored XSS vulnerability caused by insufficient sanitisation/escaping of certain form settings, potentially enabling an admin to inject scripts even when unf...
CVE-2024-12568
CVE-2024-12568 affects the WordPress plugin “Email Subscribers by Icegram Express” (pre-5.7.45). The issue is a Stored XSS vulnerability caused by insufficient sanitization/escaping of Workflow settings, exploitable by high-privilege users (e.g., admins), and can occur even when unfiltered_html i...
CVE-2024-12567
CVE-2024-12567 – Icegram Express Email Subscribers (WP plugin) prior to 5.7.45 stores and escapes settings poorly, enabling stored XSS by high-privilege users (e.g., admins) even when unfiltered_html is disabled. Impact described in sources as admin-level Stored XSS within form settings, multisit...