CVE-2024-4295 Overview
CVE-2024-4295 is an unauthenticated SQL injection vulnerability in the Email Subscribers by Icegram Express plugin for WordPress. The flaw affects all versions up to and including 5.7.20 and resides in the handling of the hash parameter. Insufficient escaping of user-supplied input combined with improper SQL query preparation allows attackers to append arbitrary SQL statements to existing queries. Successful exploitation lets remote attackers extract sensitive data from the WordPress database without any authentication or user interaction. The plugin is widely deployed across WordPress sites for newsletter and email subscriber management, expanding the attack surface significantly.
Critical Impact
Unauthenticated attackers can extract sensitive database information including user credentials, session tokens, and subscriber data through crafted requests to the vulnerable hash parameter.
Affected Products
- Icegram Email Subscribers & Newsletters (Email Subscribers by Icegram Express) plugin for WordPress
- All versions up to and including 5.7.20
- WordPress sites running the plugin with default configuration
Discovery Timeline
- 2024-06-05 - CVE-2024-4295 published to NVD
- 2026-04-08 - Last updated in NVD database
Technical Details for CVE-2024-4295
Vulnerability Analysis
The vulnerability is classified as SQL Injection [CWE-89] and stems from improper handling of the hash parameter within the plugin's contact list database operations. The affected logic resides in lite/includes/db/class-es-db-lists-contacts.php, where the hash value is incorporated into an SQL query without sufficient escaping or use of prepared statements. Attackers can append additional SQL clauses to the existing query structure. This allows extraction of arbitrary data from any table accessible to the WordPress database user, including the wp_users table containing hashed credentials and session metadata. The vulnerability requires no authentication, no privileges, and no user interaction, making it trivially exploitable across the network. The EPSS score of 92.923% places this issue in the 99.779 percentile, indicating high observed exploitation likelihood.
Root Cause
The root cause is the combination of two coding errors: missing input sanitization on the user-controlled hash parameter and the absence of $wpdb->prepare() parameterization on the constructed SQL statement. The plugin concatenates the raw parameter value directly into the query string.
Attack Vector
An unauthenticated remote attacker submits an HTTP request to a plugin endpoint that consumes the hash parameter. By embedding SQL syntax such as UNION SELECT clauses or stacked queries, the attacker manipulates the resulting SQL execution to return data from arbitrary tables. The vulnerable code path is described in the WordPress Plugin Changeset and the Wordfence Vulnerability Report.
Detection Methods for CVE-2024-4295
Indicators of Compromise
- HTTP requests containing the hash parameter with SQL metacharacters such as single quotes, UNION, SELECT, --, or /* comment sequences
- Web server access logs showing repeated requests to plugin endpoints with abnormally long or encoded hash values
- Unexpected database queries in MySQL slow query or general query logs referencing wp_users or other sensitive tables from the plugin context
- New or unexpected administrative accounts created in WordPress following plugin-related traffic spikes
Detection Strategies
- Deploy WAF rules that inspect query string and POST body parameters named hash for SQL injection signatures
- Enable WordPress audit logging to track plugin-initiated database queries and authentication events
- Correlate web access logs with database query logs to identify anomalous read patterns originating from the plugin
Monitoring Recommendations
- Monitor outbound data volumes from web servers running WordPress for exfiltration patterns following suspicious requests
- Alert on responses containing unusually large payloads to plugin endpoints that typically return small responses
- Track plugin version inventory across WordPress fleets to identify hosts still running versions at or below 5.7.20
How to Mitigate CVE-2024-4295
Immediate Actions Required
- Update the Email Subscribers by Icegram Express plugin to a version above 5.7.20 immediately
- Audit WordPress user accounts for unauthorized additions and force password resets for administrative users
- Review web server and database logs for prior exploitation attempts dating back to before the patch was applied
- Rotate WordPress secret keys, salts, and any API tokens stored in the database
Patch Information
The vendor addressed the issue in the plugin repository. The fix, available in the WordPress Plugin Changeset, introduces proper escaping and uses prepared statements for queries consuming the hash parameter. Site administrators should apply the update through the WordPress plugin manager or by deploying the latest plugin release manually.
Workarounds
- If patching is not immediately possible, deactivate and remove the Email Subscribers by Icegram Express plugin until the update can be applied
- Restrict access to WordPress plugin endpoints at the web server or WAF layer using IP allowlisting where feasible
- Apply virtual patching rules in a WAF to block requests where the hash parameter contains SQL syntax characters
# Example WAF rule pattern (ModSecurity) to block SQL injection in the hash parameter
SecRule ARGS:hash "@rx (?i)(union(\s|/\*.*\*/)+select|select.+from|--|;)" \
"id:1004295,phase:2,deny,status:403,msg:'Potential SQLi in hash parameter (CVE-2024-4295)'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
