CVE-2025-12348
Missing Authorization in Icegram Express Plugin Enables Unauthorized Task Execution
Publication date: 2025-12-12
Last updated on: 2025-12-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| icegram | email_subscribers_newsletters_and_marketing_automation_plugin | 5.9.10 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the Icegram Express plugin for WordPress is a Missing Authorization issue in versions up to 5.9.10. It occurs because the plugin does not properly verify if a user is authorized to perform certain actions in the run_action_scheduler_task function. This allows unauthenticated attackers to guess action IDs and execute scheduled actions earlier or multiple times than intended, potentially triggering email sends, maintenance tasks, or other privileged operations.
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to trigger scheduled actions prematurely or repeatedly. This may cause unexpected changes in the system state, unintended email sends, excessive resource usage, and execution of privileged operations without authorization.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided resources and context do not contain information about the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or unexpected calls to the `run_action_scheduler_task` function, especially HTTP requests to `admin-ajax.php` with parameters like `action=ig_es_run_action_scheduler_task` and guessed or repeated `action_id` values. Network or web server logs can be searched for such suspicious AJAX requests. Commands to detect this might include using grep on web server logs, for example: `grep 'action=ig_es_run_action_scheduler_task' /var/log/apache2/access.log` or `grep 'action_id=' /var/log/apache2/access.log` to identify repeated or unusual action IDs being triggered. Additionally, monitoring for unexpected email sends or resource usage spikes related to the plugin's scheduled tasks could indicate exploitation attempts. [2, 3]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the Icegram Express plugin to a version later than 5.9.10 where the vulnerability is fixed (such as 5.9.11 or later). If an update is not immediately possible, restrict access to the AJAX endpoint `admin-ajax.php` for unauthenticated users or implement web application firewall (WAF) rules to block or rate-limit requests with the `action=ig_es_run_action_scheduler_task` parameter. Monitoring and blocking suspicious requests with guessed or repeated `action_id` values can also help reduce exploitation risk. [3]