Email Subscribers by Icegram Express is a popular WordPress plugin designed to help website administrators manage email subscriptions and send automated notifications, such as confirmation emails and newsletters. However, CVE-2024-12568 has been identified as a critical vulnerability in the plugin that allows attackers to inject malicious JavaScript into the email content field of a new workflow. The injected script can lead to a backdoor creation, allowing attackers to hijack admin sessions or escalate their privileges to take full control of the WordPress site. With over 100,000 active installations, this vulnerability poses a significant risk to WordPress websites that rely on Email Subscribers for their subscription management.
| CVE | CVE-2024-12568 |
| Plugin | Email Subscribers < 5.7.45 |
| Critical | High |
| All Time | 11 023 855 |
| Active installations | 100 000+ |
| Publicly Published | December 17, 2024 |
| Last Updated | December 17, 2024 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12568 https://wpscan.com/vulnerability/0ce9075a-754b-474e-9620-17da8ee29b56/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| November 18, 2024 | Plugin testing and vulnerability detection in the Email Subscribers have been completed |
| November 18, 2024 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| December 17, 2024 | Registered CVE-2024-12568 |
Discovery of the Vulnerability
The vulnerability was discovered during a security review of the Email Subscribers plugin. It was found that the plugin fails to properly sanitize user input in the “Email Content” field when configuring a new workflow, specifically for the “Subscriber: Confirmation email” workflow. By injecting malicious JavaScript into this field, an attacker can store the payload, which is then executed when the workflow is triggered or viewed. This issue arises from the plugin’s insufficient input validation, which allows contributors and editors (with limited privileges) to inject arbitrary JavaScript into the email content. The flaw highlights a critical weakness in input sanitization, especially when dealing with fields that affect dynamic content displayed to users.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) is one of the most common and dangerous security vulnerabilities found in web applications, including WordPress plugins. XSS vulnerabilities occur when an attacker can inject malicious JavaScript into a page, which is then executed in the browser of any user who views the page. This type of attack can be used to steal session cookies, hijack user sessions, or escalate privileges to gain unauthorized access to a site. A real-world example of an XSS vulnerability in WordPress occurred in the WPForms plugin, where attackers were able to inject JavaScript into form fields, enabling session hijacking. Similarly, CVE-2024-12568 allows attackers to inject malicious JavaScript into the “Email Content” field in Email Subscribers, enabling them to execute arbitrary scripts when the content is rendered.
Exploiting the XSS Vulnerability
To exploit CVE-2024-12568, an attacker with editor-level privileges:
POC:
Create a new Workflow "Subscriber: Confirmation email". Go to "Email - Send Email" section and change "Email Content" field to "<img src=x onerror=alert(1)>". Save it. To trigger XSS you should go to new workflow and click on eye icon. (Admins and editors are allowed to use JS in posts/pages/comments/etc, so the unfiltered_html capability should be disallowed when testing for Stored XSS using such roles)____
The potential risks associated with CVE-2024-12568 are significant. If exploited, an attacker could gain administrative access to the WordPress site by hijacking an admin’s session or escalating their own privileges. Once the attacker has admin access, they can alter content, install malicious plugins, or steal sensitive user data. In a real-world scenario, an attacker could use the backdoor created through this vulnerability to maintain persistent access to the WordPress site, even if the administrator changes their password. For websites that handle sensitive user information, such as e-commerce sites or membership platforms, the exploitation of this vulnerability could lead to data breaches, financial losses, and reputational damage. Furthermore, the attacker could exploit this vulnerability as a stepping stone to compromise other systems or services connected to the compromised WordPress site.
Recommendations for Improved Security
To mitigate the risks associated with CVE-2024-12568, administrators should immediately update the Email Subscribers by Icegram Express plugin to the latest version once a patch is available. It is essential to ensure that user input in the “Email Content” field, as well as any other fields that interact with dynamic content, is properly sanitized and validated before being stored. Disabling the unfiltered_html capability for non-admin users is a crucial step in preventing JavaScript injection in plugin settings. In addition, administrators should consider implementing Content Security Policies (CSP) to restrict the execution of untrusted scripts. Regular security audits, the use of security plugins, and limiting user permissions are also key steps in mitigating the impact of XSS vulnerabilities. To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2024-12568, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.
