CVE-2024-8254

Improper Control of Generation of Code ('Code Injection') (CWE-94)

Published: Oct 2, 2024 / Updated: 48d ago

010
CVSS 6.3EPSS 0.05%Medium
CVE info copied to clipboard

Summary

The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.7.34. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.

Impact

This vulnerability allows authenticated attackers with Subscriber-level access or higher to execute arbitrary shortcodes. This can lead to code injection, potentially allowing attackers to manipulate the website's functionality, inject malicious content, or gain unauthorized access to sensitive information. The impact is classified as low for confidentiality, integrity, and availability, but the combined effect could be significant, especially if exploited by multiple low-privileged users.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been fixed in version 5.7.35 of the Email Subscribers plugin.

Mitigation

1. Update the Email Subscribers by Icegram Express plugin to version 5.7.35 or later. 2. If immediate updating is not possible, consider temporarily disabling the plugin until it can be updated. 3. Implement strong user access controls and regularly audit user privileges to minimize the number of accounts with Subscriber-level access or higher. 4. Monitor for any suspicious activity related to shortcode execution, especially from low-privileged users. 5. Implement Web Application Firewall (WAF) rules to detect and block potential shortcode injection attempts.

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Timeline

First Article

Feedly found the first article mentioning CVE-2024-8254. See article

Oct 2, 2024 at 6:53 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 2, 2024 at 6:53 AM
CVE Assignment

NVD published the first details for CVE-2024-8254

Oct 2, 2024 at 7:15 AM
CVSS

A CVSS base score of 5.4 has been assigned.

Oct 2, 2024 at 7:20 AM / nvd
EPSS

EPSS Score was set to: 0.05% (Percentile: 21.8%)

Oct 3, 2024 at 11:00 AM
CVSS

A CVSS base score of 6.3 has been assigned.

Oct 8, 2024 at 7:10 PM / nvd
Static CVE Timeline Graph

Affected Systems

Icegram/email_subscribers_\&_newsletters
+null more

Patches

plugins.trac.wordpress.org
+null more

Attack Patterns

CAPEC-242: Code Injection
+null more

News

WordPress Vulnerability & Patch Roundup October 2024
Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9528 Number of Installations: 500,000+ Affected Software: Contact Form Plugin by Fluent Forms <= 5.1.19 Patched Versions: Contact Form Plugin by Fluent Forms 5.1.20 Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8499 Number of Installations: 400,000+ Affected Software: Checkout Field Editor for WooCommerce <= 2.0.3 Patched Versions: Checkout Field Editor for WooCommerce 2.0.4
WordPress Vulnerability &amp; Patch Roundup October 2024
Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9528 Number of Installations: 500,000+ Affected Software: Contact Form Plugin by Fluent Forms <= 5.1.19 Patched Versions: Contact Form Plugin by Fluent Forms 5.1.20 Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8499 Number of Installations: 400,000+ Affected Software: Checkout Field Editor for WooCommerce <= 2.0.3 Patched Versions: Checkout Field Editor for WooCommerce 2.0.4
WordPress Vulnerability &amp; Patch Roundup October 2024
Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-9528 Number of Installations: 500,000+ Affected Software: Contact Form Plugin by Fluent Forms <= 5.1.19 Patched Versions: Contact Form Plugin by Fluent Forms 5.1.20 Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8499 Number of Installations: 400,000+ Affected Software: Checkout Field Editor for WooCommerce <= 2.0.3 Patched Versions: Checkout Field Editor for WooCommerce 2.0.4
CVE-2024-8254
Medium Severity Description The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.7.34. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes. Read more at https://www.tenable.com/cve/CVE-2024-8254
Medium - CVE-2024-8254 - The Email Subscribers by Icegram Express –...
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress &WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions...
See 8 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:Low
User Interaction:None
Scope:Unchanged
Confidentiality:Low
Integrity:Low
Availability Impact:Low

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI