Description
Server-Side Request Forgery (SSRF) vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Server Side Request Forgery.This issue affects Icegram Express Pro: from n/a through <= 5.9.5.
Published: 2025-10-22
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a Server‑Side Request Forgery (CWE‑918) that allows an attacker to make the plugin initiate HTTP requests to arbitrary internal or external addresses. The affected plugin component can be used to retrieve data or execute arbitrary commands over the network. Because the plugin runs with the privileges of the web server, a successful exploitation could expose confidential internal resources or allow lateral movement within the hosting environment.

Affected Systems

Icegram Express Pro, the email‑subscribers‑premium WordPress plugin, is vulnerable in all released versions up to and including 5.9.5. The vulnerability applies to every site that has this plugin installed, regardless of the website’s user base or configuration.

Risk and Exploitability

The CVSS score of 4.4 indicates a moderate severity. The EPSS score of less than 1% suggests that exploitation is currently unlikely, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is through the plugin’s web interface; an attacker must first interact with a vulnerable instance, but no authentication is required. Once executed, the attacker can direct the server to connect to arbitrary hosts.

Generated by OpenCVE AI on April 29, 2026 at 23:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Icegram Express Pro to a version newer than 5.9.5
  • Deploy a network firewall rule to block outbound connections from the WordPress process to non‑trusted addresses
  • Verify that the site’s external requests are restricted to known domains and review access logs for unauthorized outbound traffic

Generated by OpenCVE AI on April 29, 2026 at 23:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 11:30:00 +0000

Type Values Removed Values Added
References

Thu, 13 Nov 2025 10:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Oct 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Oct 2025 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Icegram
Icegram icegram Express
Wordpress
Wordpress wordpress
Vendors & Products Icegram
Icegram icegram Express
Wordpress
Wordpress wordpress

Wed, 22 Oct 2025 14:45:00 +0000

Type Values Removed Values Added
Description Server-Side Request Forgery (SSRF) vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Server Side Request Forgery.This issue affects Icegram Express Pro: from n/a through <= 5.9.5.
Title WordPress Icegram Express Pro plugin <= 5.9.5 - Server Side Request Forgery (SSRF) vulnerability
Weaknesses CWE-918
References

Subscriptions

Icegram Icegram Express
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T20:24:40.871Z

Reserved: 2025-06-11T16:06:59.982Z

Link: CVE-2025-49917

cve-icon Vulnrichment

Updated: 2025-10-23T14:23:26.629Z

cve-icon NVD

Status : Deferred

Published: 2025-10-22T15:15:37.693

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-49917

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T00:00:14Z

Weaknesses