CVE-2024-6172 Overview
The Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress contains a time-based SQL Injection vulnerability in the db parameter. This vulnerability affects all versions up to and including 5.7.25 and stems from insufficient escaping on user-supplied parameters combined with inadequate preparation of SQL queries. The flaw allows unauthenticated attackers to append malicious SQL queries to existing database operations, potentially enabling extraction of sensitive information from the WordPress database.
Critical Impact
Unauthenticated attackers can exploit this time-based SQL Injection to extract sensitive data from the WordPress database, including user credentials, email subscriber lists, and potentially other confidential information stored in the site's database.
Affected Products
- Icegram Email Subscribers & Newsletters plugin for WordPress (all versions up to and including 5.7.25)
- WordPress installations using the affected Email Subscribers plugin
- WooCommerce sites with the Icegram Express Email Marketing integration
Discovery Timeline
- 2024-07-02 - CVE-2024-6172 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2024-6172
Vulnerability Analysis
This SQL Injection vulnerability (CWE-89) exists in the Email Subscribers plugin's database handling code, specifically in the class-es-db-contacts.php file. The vulnerability occurs because user input passed through the db parameter is not properly sanitized or escaped before being incorporated into SQL queries. The time-based nature of this injection means attackers can infer database contents by measuring response times when injecting conditional SQL statements.
The attack can be performed without any authentication, significantly increasing the risk exposure for affected WordPress sites. Since the plugin handles email subscriber data, successful exploitation could expose personal information including email addresses, names, and subscription preferences of newsletter subscribers.
Root Cause
The root cause of this vulnerability is the lack of proper input sanitization and the failure to use parameterized queries (prepared statements) when handling user-supplied data in the db parameter. The affected code in class-es-db-contacts.php directly incorporates user input into SQL queries without adequate escaping, violating secure coding practices for database interactions.
WordPress provides the $wpdb->prepare() method specifically to prevent SQL injection attacks, but this security measure was either not implemented or improperly applied in the vulnerable code path. This oversight allows attackers to inject arbitrary SQL syntax that gets executed against the database.
Attack Vector
The attack vector is network-based and requires no user interaction or authentication. An attacker can craft malicious HTTP requests containing SQL injection payloads in the db parameter. Since this is a time-based SQL injection, attackers use conditional time delays (such as SLEEP() functions in MySQL) to determine whether their injected conditions are true or false.
The exploitation process typically involves:
- Identifying the vulnerable endpoint that accepts the db parameter
- Injecting time-based SQL payloads to confirm the vulnerability
- Using blind SQL injection techniques to enumerate database structure
- Extracting sensitive data character by character through timed responses
For detailed technical analysis, refer to the WordPress Plugin Code Review and the Wordfence Vulnerability Report.
Detection Methods for CVE-2024-6172
Indicators of Compromise
- Unusual database query execution times or server response delays
- HTTP requests to Email Subscribers plugin endpoints containing SQL keywords like SLEEP, BENCHMARK, WAITFOR, or IF statements in the db parameter
- Multiple sequential requests to the same endpoint with varying parameter values, indicating automated data extraction attempts
- Unexpected database load or query patterns in MySQL slow query logs
Detection Strategies
- Monitor web application firewall (WAF) logs for SQL injection patterns targeting WordPress plugin endpoints
- Implement database query monitoring to detect anomalous time-based queries or excessive SLEEP() function calls
- Review Apache/Nginx access logs for requests containing URL-encoded SQL injection payloads
- Deploy intrusion detection systems (IDS) with signatures for time-based SQL injection attack patterns
Monitoring Recommendations
- Enable WordPress debug logging and monitor for database errors or warnings related to the Email Subscribers plugin
- Configure real-time alerting for suspicious parameter values in HTTP requests to /wp-admin/admin-ajax.php and plugin-specific endpoints
- Implement rate limiting on plugin endpoints to slow down automated exploitation attempts
- Monitor outbound network traffic for data exfiltration following potential SQL injection attacks
How to Mitigate CVE-2024-6172
Immediate Actions Required
- Update the Email Subscribers by Icegram Express plugin to version 5.7.26 or later immediately
- Review database access logs for signs of prior exploitation attempts
- If unable to update immediately, consider temporarily disabling the plugin until patching is possible
- Conduct a security audit of subscriber data to ensure no unauthorized access has occurred
Patch Information
Icegram has released a security patch addressing this vulnerability. The fix is available in the plugin changeset which implements proper input sanitization and prepared statements for the affected database queries.
Review the official patch details:
Update the plugin through the WordPress admin dashboard or download the latest version from the WordPress Plugin Developer Page.
Workarounds
- Implement a Web Application Firewall (WAF) rule to block requests containing SQL injection patterns in the db parameter
- Restrict access to WordPress admin and plugin endpoints at the web server level for untrusted IP addresses
- If the plugin is not critical to operations, temporarily deactivate it until the patched version can be applied
- Consider implementing additional database-level security controls such as read-only database users for the WordPress application
# Example .htaccess rule to block suspicious requests (temporary mitigation)
# Add to WordPress root .htaccess file
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{QUERY_STRING} (sleep|benchmark|waitfor|if\() [NC]
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
