🔐 CVE Alert

CVE-2023-5414

CRITICAL 9.1

Icegram Express <= 5.6.23 - Authenticated (Administrator+) Directory Traversal to Arbitrary File Read

CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th

The Icegram Express plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 5.6.23 via the show_es_logs function. This allows administrator-level attackers to read the contents of arbitrary files on the server, which can contain sensitive information including those belonging to other sites, for example in shared hosting environments.

CWE CWE-22
Vendor icegram
Product email subscribers & newsletters – email marketing, post notifications & newsletter plugin for wordpress
Published Oct 20, 2023
Last Updated Apr 8, 2026
Stay Ahead of the Next One

Get instant alerts for icegram email subscribers & newsletters – email marketing, post notifications & newsletter plugin for wordpress

Be the first to know when new critical vulnerabilities affecting icegram email subscribers & newsletters – email marketing, post notifications & newsletter plugin for wordpress are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

icegram / Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress
0 ≤ 5.6.23

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/417186ba-36ef-4d06-bbcd-e85eb9219689?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/includes/classes/class-email-subscribers-logs.php?rev=2919465#L28 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=2977318%40email-subscribers%2Ftrunk&old=2972043%40email-subscribers%2Ftrunk&sfp_email=&sfph_mail=#file4

Credits

Marco Wotschka