Description
The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `trigger_mailing_queue_sending` function. This makes it possible for unauthenticated attackers to force immediate email sending, bypass the schedule, increase server load, and change plugin state (e.g., last-cron-hit), enabling abuse or DoS-like effects.
Published: 2025-11-19
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authorization bypass allows unauthenticated users to trigger immediate email sending, increasing server load and enabling spam or denial of service
Action: Patch Now
AI Analysis

Impact

The Icegram Email Subscribers & Newsletters plugin for WordPress contains an authorization flaw that permits unauthenticated attackers to invoke the trigger_mailing_queue_sending function. This flaw lets an attacker force the plugin to send emails immediately, bypass scheduled sending, alter plugin state such as the last-cron-hit property, and potentially overload the server with outbound mail, creating spam or DoS‑like effects.

Affected Systems

Icegram Email Subscribers & Newsletters WordPress plugin for versions 5.9.10 and earlier is affected. Users of any installation running these or earlier versions are within scope.

Risk and Exploitability

With a CVSS score of 5.3, the severity is moderate. The EPSS score of less than 1% indicates a very low probability of exploitation at the time of assessment, and the vulnerability is not listed in CISA KEV. The attack vector is inferred to be remote via an unauthenticated HTTP request to the plugin’s queue trigger endpoint, which can be performed by any internet-connected user with access to the site’s public URLs.

Generated by OpenCVE AI on April 22, 2026 at 16:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the plugin to version 5.9.11 or later
  • If an upgrade is not yet available, block or restrict access to the trigger_mailing_queue_sending endpoint using a web application firewall or similar controls
  • Disable or limit marketing automation or newsletter sending features within the plugin settings until a patch is applied

Generated by OpenCVE AI on April 22, 2026 at 16:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 20 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Icegram
Icegram email Subscribers & Newsletters
Wordpress
Wordpress wordpress
Vendors & Products Icegram
Icegram email Subscribers & Newsletters
Wordpress
Wordpress wordpress

Wed, 19 Nov 2025 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 19 Nov 2025 04:45:00 +0000

Type Values Removed Values Added
Description The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `trigger_mailing_queue_sending` function. This makes it possible for unauthenticated attackers to force immediate email sending, bypass the schedule, increase server load, and change plugin state (e.g., last-cron-hit), enabling abuse or DoS-like effects.
Title Email Subscribers & Newsletters <= 5.9.10 - Missing Authentication to Unauthenticated Mailing Queue Trigger
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Icegram Email Subscribers & Newsletters
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:34:50.368Z

Reserved: 2025-10-27T14:22:50.164Z

Link: CVE-2025-12349

cve-icon Vulnrichment

Updated: 2025-11-19T20:10:28.316Z

cve-icon NVD

Status : Deferred

Published: 2025-11-19T05:16:00.083

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12349

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:45:21Z

Weaknesses