CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2026-1651 – Email Subscribers & Newsletters <= 5.9.16 - Authenticated (Administrator+) SQL Injection via 'workflow_ids' Parameter
https://notcve.org/view.php?id=CVE-2026-1651
03 Mar 2026 — The Email Subscribers by Icegram Express plugin for WordPress is vulnerable to SQL Injection via the 'workflow_ids' parameter in all versions up to, and including, 5.9.16 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the da... • https://downloads.wordpress.org/plugin/email-subscribers.5.9.15.zip • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-68507 – WordPress Icegram plugin <= 3.1.35 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2025-68507
05 Jan 2026 — Missing Authorization vulnerability in Icegram Icegram icegram allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Icegram: from n/a through <= 3.1.35. The Icegram Engage – Popups, Optins, CTAs & lot more… plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 3.1.35. This makes it possible for unauthenticated attackers to perform an unauthorized action. • https://patchstack.com/database/Wordpress/Plugin/icegram/vulnerability/wordpress-icegram-plugin-3-1-35-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-12348 – Email Subscribers & Newsletters <= 5.9.10 - Missing Authentication to Unauthenticated Action Scheduler Task Execution
https://notcve.org/view.php?id=CVE-2025-12348
11 Dec 2025 — The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `run_action_scheduler_task` function. This makes it possible for unauthenticated attackers to execute scheduled actions early or repeatedly by guessing action IDs, potentially triggering email sends, maintenance tasks, or other p... • https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L50 • CWE-306: Missing Authentication for Critical Function •
CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-12349 – Email Subscribers & Newsletters <= 5.9.10 - Missing Authentication to Unauthenticated Mailing Queue Trigger
https://notcve.org/view.php?id=CVE-2025-12349
18 Nov 2025 — The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `trigger_mailing_queue_sending` function. This makes it possible for unauthenticated attackers to force immediate email sending, bypass the schedule, increase server load, and change plugin state (e.g., last-cron-hit), enabling abuse or ... • https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L1132 • CWE-306: Missing Authentication for Critical Function •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-47527 – WordPress Icegram Collect – Easy Form, Lead Collection and Subscription plugin <= 1.3.18 - Broken Access Control Vulnerability
https://notcve.org/view.php?id=CVE-2025-47527
04 Jun 2025 — Missing Authorization vulnerability in Icegram Icegram Collect – Easy Form, Lead Collection and Subscription plugin allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Icegram Collect – Easy Form, Lead Collection and Subscription plugin: from n/a through 1.3.18. The Icegram Collect – Easy Form, Lead Collection and Subscription plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and inc... • https://patchstack.com/database/wordpress/plugin/icegram-rainmaker/vulnerability/wordpress-icegram-collect-easy-form-lead-collection-and-subscription-plugin-1-3-18-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-24542 – WordPress Icegram Engage plugin <= 3.1.31 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2025-24542
24 Jan 2025 — Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in icegram Icegram allows Stored XSS. This issue affects Icegram: from n/a through 3.1.31. The Icegram plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.1.31 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will... • https://patchstack.com/database/wordpress/plugin/icegram/vulnerability/wordpress-icegram-engage-plugin-3-1-31-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8254 – Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce <= 5.7.34 - Authenticated (Subscriber+) Arbitrary Shortcode Execution
https://notcve.org/view.php?id=CVE-2024-8254
01 Oct 2024 — The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 5.7.34. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes. • https://www.wordfence.com/threat-intel/vulnerabilities/id/7d4ae4a7-aec1-4cc1-bea0-61dde44027fc?source=cve • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8771 – Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce <= 5.7.34 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure
https://notcve.org/view.php?id=CVE-2024-8771
25 Sep 2024 — The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'preview_email_template_design' function in all versions up to, and including, 5.7.34. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract sensitive data including the content of private, password protected, pending, and draft posts and pages... • https://plugins.trac.wordpress.org/browser/email-subscribers/trunk/lite/admin/class-email-subscribers-admin.php#L1754 • CWE-862: Missing Authorization •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43344 – WordPress Icegram Engage – Ultimate WP Popup Builder, Lead Generation, Optins, and CTA plugin <= 3.1.25 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-43344
16 Aug 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Icegram allows Stored XSS.This issue affects Icegram: from n/a through 3.1.25. The Icegram plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 3.1.25 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will e... • https://patchstack.com/database/vulnerability/icegram/wordpress-icegram-engage-ultimate-wp-popup-builder-lead-generation-optins-and-cta-plugin-3-1-25-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43273 – WordPress Icegram Collect plugin <= 1.3.14 - Broken Access Control vulnerability
https://notcve.org/view.php?id=CVE-2024-43273
12 Aug 2024 — Missing Authorization vulnerability in icegram Icegram Collect plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Icegram Collect plugin: from n/a through 1.3.14. The Icegram Collect – Easy Form, Lead Collection and Subscription plugin plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the disconnect_campaignmonitor() function, along with a few others, in versions up to, and including, 1.3.14. This makes it possible f... • https://patchstack.com/database/vulnerability/icegram-rainmaker/wordpress-icegram-collect-easy-form-lead-collection-and-subscription-plugin-plugin-1-3-14-broken-access-control-vulnerability?_s_id=cve • CWE-862: Missing Authorization •