CVE-2025-12348 - Vulnerability Details

- Email Subscribers & Newsletters <= 5.9.10 - Missing Authentication to Unauthenticated Action Scheduler Task Execution

Description

The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `run_action_scheduler_task` function. This makes it possible for unauthenticated attackers to execute scheduled actions early or repeatedly by guessing action IDs, potentially triggering email sends, maintenance tasks, or other privileged operations, causing unexpected state changes and resource usage.

Published: 2025-12-12

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The Icegram Express Email Subscribers and Newsletters plugin for WordPress allows unauthenticated users to trigger the run_action_scheduler_task function without proper authorization. This missing authorization permits attackers to force the execution of scheduled tasks early or repeatedly by guessing action IDs, potentially sending unwanted emails, running maintenance scripts, or performing other privileged operations that alter system state or consume resources. The weakness is an example of CWE‑306, Missing Authentication.

Affected Systems

WordPress sites using the Icegram Express Email Subscribers and Newsletters plugin, version 5.9.10 or earlier.

Risk and Exploitability

The CVSS score of 5.3 designates a medium severity level, and an EPSS score of less than 1% indicates a low likelihood of exploitation. The vulnerability is not listed in CISA's KEV catalog. Attackers can exploit this weakness remotely over the web with no authentication, but success requires identifying valid action identifiers. While the impact is limited to the plugin’s scheduled tasks, repeated exploitation could lead to spam email delivery, excessive load, or corruption of the application state.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

icegram

Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.9.10

No data.

Vendor	Product	Confidence	Versions
Icegram	Email Subscribers & Newsletters	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the plugin to version 5.9.11 or later, which removes the missing authentication check.
If an immediate update is not possible, restrict external access to the action scheduler endpoint by removing or tightening role permissions and disabling unnecessary background processes.
Monitor the site for unexpected email activity, resource spikes, or other indicators that scheduled tasks are being invoked unauthorizedly.

Generated by OpenCVE AI on April 21, 2026 at 00:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.003.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L50
https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-ig-es-background-process-helper.php#L194
https://plugins.trac.wordpress.org/changeset/3394838/email-subscribers/trunk/lite/includes/classes/class-ig-es-background-process-helper.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/c6ba7244-0ecf-412f-9b8b-6b81fa6cdeb5?source=cve

History

Sun, 14 Dec 2025 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Icegram Icegram email Subscribers & Newsletters Wordpress Wordpress wordpress
Vendors & Products		Icegram Icegram email Subscribers & Newsletters Wordpress Wordpress wordpress

Sat, 13 Dec 2025 09:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 12 Dec 2025 09:45:00 +0000

Type	Values Removed	Values Added
Description		The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `run_action_scheduler_task` function. This makes it possible for unauthenticated attackers to execute scheduled actions early or repeatedly by guessing action IDs, potentially triggering email sends, maintenance tasks, or other privileged operations, causing unexpected state changes and resource usage.
Title		Email Subscribers & Newsletters <= 5.9.10 - Missing Authentication to Unauthenticated Action Scheduler Task Execution
Weaknesses		CWE-306
References		https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L50 https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-ig-es-background-process-helper.php#L194 https://plugins.trac.wordpress.org/changeset/3394838/email-subscribers/trunk/lite/includes/classes/class-ig-es-background-process-helper.php https://www.wordfence.com/threat-intel/vulnerabilities/id/c6ba7244-0ecf-412f-9b8b-6b81fa6cdeb5?source=cve
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}`

Subscriptions

Icegram Email Subscribers & Newsletters

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-12-12T09:20:29.470Z

Updated: 2026-04-08T17:21:15.908Z

Reserved: 2025-10-27T14:21:51.223Z

Link: CVE-2025-12348

Vulnrichment

Updated: 2025-12-12T20:49:08.228Z

NVD

Status : Deferred

Published: 2025-12-12T10:15:48.343

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12348

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-21T01:00:12Z

Weaknesses

CWE-306

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object