CVE-2026-1651
SQL Injection in Email Subscribers Plugin Allows Data Extraction
Publication date: 2026-03-04
Last updated on: 2026-03-04
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| icegram | email_subscribers | to 5.9.16 (inc) |
| icegram | email_subscribers | to 5.9.16 (exc) |
| icegram | email_subscribers | 5.9.17 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': "The Email Subscribers by Icegram Express WordPress plugin (up to version 5.9.16) contains an authenticated SQL Injection vulnerability in the 'workflow_ids' parameter. This flaw arises because the plugin insufficiently escapes and prepares this user-supplied parameter before including it in an SQL query."}, {'type': 'paragraph', 'content': "Specifically, the vulnerability exists in the update_status function where the 'workflow_ids' parameter is used directly in an SQL IN clause without proper validation or sanitization. The plugin uses esc_sql() which only escapes quotes and backslashes but does not adequately protect numeric inputs in this context. Additionally, string interpolation happens before the SQL query is prepared, allowing attackers to inject malicious SQL."}, {'type': 'paragraph', 'content': 'An attacker with administrator-level access can exploit this flaw to append additional SQL queries, enabling extraction of sensitive database information such as user credentials, email addresses, and plugin secrets.'}] [2]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability allows an authenticated attacker with administrator privileges to perform SQL Injection attacks on the plugin's database."}, {'type': 'list_item', 'content': 'Extract sensitive data such as user password hashes, email addresses, and plugin secrets.'}, {'type': 'list_item', 'content': 'Modify database contents by executing crafted UPDATE queries.'}, {'type': 'list_item', 'content': 'Potentially escalate privileges if combined with other vulnerabilities like broken access control.'}, {'type': 'paragraph', 'content': 'The exploitation can be done via an AJAX endpoint, allowing blind SQL injection techniques such as time-based and boolean-based attacks to extract data character-by-character.'}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for suspicious authenticated AJAX requests targeting the Email Subscribers plugin's workflows update_status function. Specifically, look for AJAX POST requests with the action parameter set to 'wp_ajax_icegram-express' and method 'update_status' that include crafted 'workflow_ids' parameters containing unexpected SQL payloads."}, {'type': 'paragraph', 'content': "A practical detection method is to capture and analyze HTTP requests to the WordPress admin AJAX endpoint (usually /wp-admin/admin-ajax.php) for unusual or malformed 'workflow_ids' parameters that could indicate SQL injection attempts."}, {'type': 'paragraph', 'content': 'Example commands to detect such activity include using network traffic inspection tools or command-line utilities like curl or grep on server logs.'}, {'type': 'list_item', 'content': "Using grep to find suspicious AJAX requests in web server logs: grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'action=wp_ajax_icegram-express' | grep 'update_status'"}, {'type': 'list_item', 'content': "Using curl to test for the vulnerability (requires admin authentication): curl -X POST -d 'action=wp_ajax_icegram-express&method=update_status&workflow_ids[]=1 OR 1=1' https://yourwordpresssite.com/wp-admin/admin-ajax.php -b cookies.txt -c cookies.txt"}, {'type': 'paragraph', 'content': 'Note that exploitation requires administrator-level authentication, so detection efforts should focus on monitoring admin user activity and AJAX requests related to the Email Subscribers plugin workflows.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps include updating the Email Subscribers plugin to a version later than 5.9.16 where this SQL injection vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'If an update is not immediately possible, restrict administrator access to trusted users only, as exploitation requires administrator-level privileges.'}, {'type': 'paragraph', 'content': 'Additionally, monitor and restrict access to the AJAX endpoint handling workflows updates to prevent unauthorized or suspicious requests.'}, {'type': 'paragraph', 'content': "Consider applying Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the 'workflow_ids' parameter in AJAX requests."}, {'type': 'paragraph', 'content': 'Review and audit administrator accounts for suspicious activity and change passwords if compromise is suspected.'}] [2]