Description
Deserialization of Untrusted Data vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Object Injection.This issue affects Icegram Express Pro: from n/a through < 5.9.14.
Published: 2025-12-24
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Deserialization of untrusted data in the Icegram Express Pro plugin allows an attacker to perform PHP object injection by providing a crafted serialized string. The vulnerability is a classic instance of CWE‑502, where the plugin fails to properly safeguard against malicious input during unserialization, enabling the attacker to instantiate arbitrary objects or invoke arbitrary methods that can lead to code execution or modification of sensitive data.

Affected Systems

WordPress sites that have the Icegram Express Pro email‑subscribers plugin installed with a version earlier than 5.9.14 are affected. The issue does not apply to versions 5.9.14 and newer, which have applied the necessary safeguard against unserialization of untrusted data.

Risk and Exploitability

The CVSS score of 7.2 indicates a high risk of serious impact, while the EPSS score of less than 1% suggests that exploitation attempts are currently low in probability. The vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation at this time. The likely attack vector would involve sending a malicious serialized payload to the plugin’s endpoint or to a location where the plugin processes user‑supplied data, such as form submissions or query parameters. Successful exploitation would grant the attacker remote code execution capabilities on the affected WordPress installation.

Generated by OpenCVE AI on April 28, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Icegram Express Pro to version 5.9.14 or newer to apply the deserialization safeguard.
  • If an update cannot be performed immediately, temporarily deactivate or remove the plugin to eliminate the attack surface.
  • Monitor incoming requests and server logs for attempts to unserialize data, and consider implementing a web application firewall rule to detect known malicious serialized payloads.

Generated by OpenCVE AI on April 28, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

 cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Object Injection.This issue affects Icegram Express Pro: from n/a through <= 5.9.11. Deserialization of Untrusted Data vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Object Injection.This issue affects Icegram Express Pro: from n/a through < 5.9.14.
Title WordPress Icegram Express Pro plugin <= 5.9.11 - PHP Object Injection vulnerability WordPress Icegram Express Pro plugin < 5.9.14 - PHP Object Injection vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 29 Dec 2025 23:15:00 +0000

Type Values Removed Values Added
First Time appeared Icegram
Icegram icegram Express
Wordpress
Wordpress wordpress
Vendors & Products Icegram
Icegram icegram Express
Wordpress
Wordpress wordpress

Wed, 24 Dec 2025 20:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Dec 2025 13:15:00 +0000

Type Values Removed Values Added
Description Deserialization of Untrusted Data vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Object Injection.This issue affects Icegram Express Pro: from n/a through <= 5.9.11.
Title WordPress Icegram Express Pro plugin <= 5.9.11 - PHP Object Injection vulnerability
Weaknesses CWE-502
References

Subscriptions

Icegram Icegram Express
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:27.348Z

Reserved: 2025-12-15T10:01:03.747Z

Link: CVE-2025-68038

cve-icon Vulnrichment

Updated: 2025-12-24T18:53:59.864Z

cve-icon NVD

Status : Deferred

Published: 2025-12-24T13:16:19.807

Modified: 2026-04-27T19:16:23.060

Link: CVE-2025-68038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:30:37Z

Weaknesses