Email Subscribers by Icegram Express is a popular WordPress plugin that enables website owners to collect email subscribers and send newsletters, notifications, and updates. However, CVE-2024-12566 has been identified as a serious Stored Cross-Site Scripting (XSS) vulnerability within the plugin. This flaw allows attackers with editor-level access to inject malicious JavaScript code into a form’s “Show message” field. Once the malicious script is embedded, it can lead to session hijacking or the creation of a backdoor admin account. With over 100,000 active installations, this vulnerability poses a significant risk for WordPress websites using Email Subscribers by Icegram Express.
| CVE | CVE-2024-12566 |
| Plugin | Email Subscribers < 5.7.45 |
| Critical | High |
| All Time | 11 023 855 |
| Active installations | 100 000+ |
| Publicly Published | December 17, 2024 |
| Last Updated | December 17, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12566 https://wpscan.com/vulnerability/9206064a-d54e-44ad-9670-65520ee166a6/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| November 18, 2024 | Plugin testing and vulnerability detection in the Email Subscribers have been completed |
| November 18, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| December 17, 2024 | Registered CVE-2024-12566 |
Discovery of the Vulnerability
The vulnerability was discovered during a security audit of the Email Subscribers plugin. It was found that the plugin fails to sanitize user input in the “Show message” field during the creation of a new form. This input field is intended to display a message to the user after submitting a form. However, the lack of proper sanitization allows users to inject malicious JavaScript into the form’s settings, which is then stored in the WordPress database. The script executes whenever the form is rendered or when users interact with the form, such as by submitting it. The flaw arises because the plugin does not properly validate the user-supplied input before saving it to the database.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities are a common type of security flaw in web applications, including WordPress plugins. XSS vulnerabilities occur when attackers inject malicious scripts into web pages, which are then executed in the browsers of users who visit the page. These attacks can result in various malicious outcomes, including session hijacking, stealing sensitive data, and privilege escalation. A famous real-world example of XSS in WordPress occurred in the WPForms plugin, where attackers injected JavaScript into form fields, which were then executed by unsuspecting users. Similarly, CVE-2024-12566 exploits improper sanitization in the “Show message” field of the Email Subscribers plugin, enabling attackers to inject harmful JavaScript into form settings.
Exploiting the XSS Vulnerability
To exploit CVE-2024-12566, an attacker with editor-level privileges:
POC:
Create a new Form and click "Next". Change "Show message" field to "<img src=x onerror=alert(1)>". Save and copy shortcode of this form. To trigger XSS you should go to new post and put shortcode of this form. Click Submit button. (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The risks associated with CVE-2024-12566 are significant. If exploited, this vulnerability can lead to a complete takeover of the WordPress site. An attacker could hijack the session of an admin user, gaining access to sensitive site data or modifying the site’s content. In a real-world scenario, an attacker could use this vulnerability to escalate privileges by creating a backdoor admin account, which could allow them to maintain control of the site even if the admin changes their password. For websites that handle sensitive data, such as e-commerce sites or membership platforms, this vulnerability could result in data breaches, financial losses, and irreparable damage to the site’s reputation. Moreover, once the attacker has access to the admin account, they could install malicious plugins or alter the site’s content in harmful ways.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-12566, administrators should immediately update the Email Subscribers by Icegram Express plugin to the latest version once a patch is available. Additionally, administrators should review and restrict user permissions, ensuring that non-admin users (especially editors) cannot modify critical settings such as the “Show message” field. Proper input sanitization and validation should be enforced to prevent JavaScript injection in any field that interacts with user input. Disabling the unfiltered_html capability for non-admin users can help prevent script injection. It is also recommended to implement Content Security Policies (CSP) to mitigate the impact of XSS attacks. Regular security audits and the use of security plugins that scan for vulnerabilities can help identify and address such flaws before they are exploited. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-12566, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
