Email Subscribers by Icegram Express is a popular WordPress plugin that enables website owners to collect email subscribers and send newsletters, notifications, and updates. However, CVE-2024-12566 has been identified as a serious Stored Cross-Site Scripting (XSS) vulnerability within the plugin. This flaw allows attackers with editor-level access to inject malicious JavaScript code into a form’s “Show message” field. Once the malicious script is embedded, it can lead to session hijacking or the creation of a backdoor admin account. With over 100,000 active installations, this vulnerability poses a significant risk for WordPress websites using Email Subscribers by Icegram Express.
CVE-2024-12566 – Email Subscribers by Icegram Express – Stored XSS to JS Backdoor Creation – POC
