Description
Deserialization of Untrusted Data vulnerability in Icegram Email Subscribers & Newsletters email-subscribers allows Object Injection.This issue affects Email Subscribers & Newsletters: from n/a through <= 5.9.10.
Published: 2025-11-21
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a deserialization flaw that allows an attacker to craft malicious data leading to PHP Object Injection in the Icegram Email Subscribers & Newsletters plugin. This manipulation of untrusted data can result in arbitrary code execution on the WordPress site, compromising confidentiality, integrity, and availability of the entire hosting environment. The weakness is identified as CWE‑502, which enables attackers to inject objects and control program flow.

Affected Systems

WordPress sites that have the Icegram Email Subscribers & Newsletters plugin installed with any version up to and including 5.9.10. The affected component is the plugin’s data handling routines that deserialize user-provided input without proper validation.

Risk and Exploitability

The CVSS base score of 7.2 indicates high severity, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not listed in the CISA KEV catalog, but given the potential for remote code execution, the risk remains significant. Based on the description, it is inferred that the likely attack vector involves delivering crafted data through the plugin’s input processing interface—potentially via front‑end or administrative forms—to trigger the deserialization flaw.

Generated by OpenCVE AI on April 29, 2026 at 13:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the Email Subscribers & Newsletters plugin to a version newer than 5.9.10, which contains the fix for the PHP Object Injection issue.
  • If an immediate update cannot be performed, disable or uninstall the plugin to eliminate the vulnerable deserialization path.
  • Conduct a code review of the plugin’s input handling and ensure that any remaining serialization or deserialization mechanisms no longer accept untrusted data from external sources.

Generated by OpenCVE AI on April 29, 2026 at 13:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 24 Nov 2025 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Icegram
Icegram email Subscribers & Newsletters
Wordpress
Wordpress wordpress
Vendors & Products Icegram
Icegram email Subscribers & Newsletters
Wordpress
Wordpress wordpress

Fri, 21 Nov 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 21 Nov 2025 12:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Icegram Email Subscribers & Newsletters email-subscribers allows Object Injection.This issue affects Email Subscribers & Newsletters: from n/a through <= 5.9.10.
Title WordPress Email Subscribers & Newsletters plugin <= 5.9.10 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Icegram Email Subscribers & Newsletters
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T19:06:10.579Z

Reserved: 2025-11-21T11:20:39.725Z

Link: CVE-2025-66055

cve-icon Vulnrichment

Updated: 2025-11-21T14:26:49.499Z

cve-icon NVD

Status : Deferred

Published: 2025-11-21T13:15:46.183

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-66055

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T13:45:12Z

Weaknesses