🔐 CVE Alert

CVE-2024-8254

MEDIUM 5.4

Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce <= 5.7.34 - Authenticated (Subscriber+) Arbitrary Shortcode Execution

CVSS Score
5.4
EPSS Score
0.0%
EPSS Percentile
0th

The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.7.34. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.

CWE CWE-94
Vendor icegram
Product email subscribers & newsletters – email marketing, post notifications & newsletter plugin for wordpress
Published Oct 2, 2024
Last Updated Apr 8, 2026
Stay Ahead of the Next One

Get instant alerts for icegram email subscribers & newsletters – email marketing, post notifications & newsletter plugin for wordpress

Be the first to know when new medium vulnerabilities affecting icegram email subscribers & newsletters – email marketing, post notifications & newsletter plugin for wordpress are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

icegram / Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress
0 ≤ 5.7.34

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/7d4ae4a7-aec1-4cc1-bea0-61dde44027fc?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.7.29/lite/includes/class-es-common.php#L244 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3157336/

Credits

Arkadiusz Hydzik