CVE-2026-1651 - Vulnerability Details

- Email Subscribers & Newsletters <= 5.9.16 - Authenticated (Administrator+) SQL Injection via 'workflow_ids' Parameter

Description

The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the 'workflow_ids' parameter in all versions up to, and including, 5.9.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Published: 2026-03-04

Score: 6.5 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The WordPress plugin Email Subscribers & Newsletters by Icegram has an SQL injection flaw on the workflow_ids parameter that allows an authenticated user with administrator privileges to inject arbitrary SQL statements. The vulnerability is caused by insufficient escaping of that parameter and lack of proper query preparation, enabling attackers to read or discover sensitive data from the database. The weakness is classified as CWE-89 and can lead to compromise of confidentiality and integrity of stored data.

Affected Systems

The flaw affects all releases of the plugin up to version 5.9.16. WordPress sites running any of these versions and using the plugin are susceptible. Administrators with full control over the site, or users with higher privileges, are required to exploit the issue.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. The EPSS score of less than 1% suggests the likelihood of exploitation is currently low, and the vulnerability is not listed in the CISA KEV catalog. However, because it requires administrative authentication, the risk is limited to sites where attackers already have such access. If an attacker gains admin credentials or compromises a site through other means, they could exploit this flaw to extract data. The attack can be carried out by sending a specially crafted request to the workflow_ids parameter, bypassing the existing input filtering.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

icegram

Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.9.16

No data.

Vendor Product Confidence Versions

Icegram

Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin For Wordpress

100%

Version	Status	Scheme	Platform
`[0,5.9.16]`	affected	semver	—

Wordpress

80%

Version	Status	Scheme	Platform
`—`	unaffected	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the Email Subscribers & Newsletters plugin to version 5.9.17 or later.
Restrict administrator access to trusted accounts and regularly review user permissions.
Implement web application firewall rules that block SQL injection patterns on the workflow_ids endpoint or sanitize input if the plugin remains outdated.

Generated by OpenCVE AI on April 15, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00014.

Exploitation poc

Automatable no

Technical Impact total

References

Link	Providers
https://downloads.wordpress.org/plugin/email-subscribers.5.9.15.zip
https://gist.github.com/stevenyu113228/6c5c3f660e6dc739768842c051028f40
https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.15/lite/includes/workflows/db/class-es-db-workflows.php#L379
https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/includes/workflows/db/class-es-db-workflows.php#L379
https://plugins.trac.wordpress.org/changeset/3464881/
https://www.wordfence.com/threat-intel/vulnerabilities/id/d8dc995d-912e-4d83-84cc-c99242022b82?source=cve

History

Wed, 04 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 04 Mar 2026 15:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Icegram Icegram email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin For Wordpress Wordpress Wordpress wordpress
Vendors & Products		Icegram Icegram email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin For Wordpress Wordpress Wordpress wordpress

Wed, 04 Mar 2026 02:00:00 +0000

Type	Values Removed	Values Added
Description		The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the 'workflow_ids' parameter in all versions up to, and including, 5.9.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title		Email Subscribers & Newsletters <= 5.9.16 - Authenticated (Administrator+) SQL Injection via 'workflow_ids' Parameter
Weaknesses		CWE-89
References		https://downloads.wordpress.org/plugin/email-subscribers.5.9.15.zip https://gist.github.com/stevenyu113228/6c5c3f660e6dc739768842c051028f40 https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.15/lite/includes/workflows/db/class-es-db-workflows.php#L379 https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/includes/workflows/db/class-es-db-workflows.php#L379 https://plugins.trac.wordpress.org/changeset/3464881/ https://www.wordfence.com/threat-intel/vulnerabilities/id/d8dc995d-912e-4d83-84cc-c99242022b82?source=cve
Metrics		cvssV3_1 `{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N'}`

Subscriptions

Icegram Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin For Wordpress

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-03-04T01:22:00.212Z

Updated: 2026-04-08T17:26:58.228Z

Reserved: 2026-01-29T19:16:28.205Z

Link: CVE-2026-1651

Vulnrichment

Updated: 2026-03-04T16:03:09.457Z

NVD

Status : Deferred

Published: 2026-03-04T02:15:53.770

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-1651

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-15T17:00:07Z

Weaknesses

CWE-89

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object