The Email Subscribers plugin for WordPress, which is widely used to manage subscribers, campaigns, and emails, has been found to contain a critical SQL Injection vulnerability identified as CVE-2024-12311. This flaw allows attackers to inject malicious SQL queries into the plugin’s user input fields, enabling unauthorized access to the database. Such an attack could potentially lead to data leakage or manipulation, posing serious security risks. With over 100,000 active installations, this vulnerability represents a significant threat to the integrity and confidentiality of data in WordPress sites using the Email Subscribers plugin.
| CVE | CVE-2024-12311 |
| Plugin | Email Subscribers < 5.7.44 |
| Critical | High |
| All Time | 2 123 571 |
| Active installations | 100 000+ |
| Publicly Published | December 17, 2024 |
| Last Updated | December 17, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A1: Injection |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12311 https://wpscan.com/vulnerability/5e00ba37-da7f-4703-a0b9-65237696fbdd/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
Timeline
| November 25, 2024 | Plugin testing and vulnerability detection in the Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce have been completed |
| November 25, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| December 25, 2024 | Registered CVE-2024-12311 |
Discovery of the Vulnerability
The vulnerability was discovered during a security audit of the Email Subscribers plugin. It was found that the plugin fails to properly sanitize input in the “[datalorder_by_column]” field when interacting with certain admin pages, specifically under the “Campaigns” section. By manipulating the input field with specially crafted SQL queries, an attacker can trigger SQL Injection, which allows them to bypass security controls and directly interact with the WordPress database. This flaw arises due to inadequate input validation in handling user-supplied data, making it possible to execute arbitrary SQL queries on the server.
Understanding of SQL Injection attack’s
SQL Injection is a type of vulnerability that occurs when an attacker is able to insert malicious SQL code into a query. If the user input is not properly sanitized, the attacker’s code is executed directly by the database, potentially allowing them to view, modify, or delete data. SQL Injection attacks can lead to significant consequences, such as unauthorized access to sensitive information, corruption of data, or the complete compromise of the website. A real-world example of SQL Injection in WordPress occurred in the WPDB plugin, where attackers could manipulate query parameters to gain unauthorized access to the database. Similarly, CVE-2024-12311 exploits poor input validation in the Email Subscribers plugin, allowing for arbitrary SQL queries to be executed.
Exploiting the SQL Injection Vulnerability
To exploit CVE-2024-12311, an attacker with editor-level privileges:
POC:
1) Go to 127.0.0.1/wordpress/wp-admin/admin.php?page=es_campaigns#!/campaigns. 2) Check for request "/wordpress/wp-admin/admin-ajax.php?action=icegram-express" with "get_campaigns" method. 3) To trigger SQL Injection you should put "id AND (SELECT 2630 FROM ( SELECT( SLEEP(5)) lakvy)" payload to "[datalorder_by_column]" field.____
The risks of CVE-2024-12311 are significant. If exploited, an attacker could gain unauthorized access to the WordPress database, which may contain sensitive user data such as email addresses, passwords, or other personal information. This could lead to data leakage, which could have serious privacy implications for both site administrators and users. In a real-world scenario, the attacker could also modify data in the database, such as altering campaign information, deleting records, or even inserting malicious content that could further compromise the site. Additionally, SQL Injection could be used as a stepping stone to escalate privileges, allowing attackers to execute additional malicious actions, such as gaining administrative access to the WordPress dashboard. For websites dealing with sensitive customer or financial data, the consequences could be devastating, leading to financial losses, reputational damage, and legal ramifications.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-12311, administrators should update the Email Subscribers plugin to the latest patched version as soon as it becomes available. Additionally, administrators should ensure that all user input, particularly those interacting with the database, is properly sanitized and validated before being used in queries. Implementing prepared statements or parameterized queries in the plugin would prevent attackers from injecting arbitrary SQL code into the query. Furthermore, it is recommended to disable the unfiltered_html capability for non-admin users, as this can limit the potential for other types of attacks. Regular security audits, the use of security plugins, and the implementation of Web Application Firewalls (WAFs) are also essential in detecting and blocking SQL Injection attempts before they can be exploited. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-12311, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
