CVE-2024-4010

Name of the Vulnerable Software and Affected Versions Email Subscribers by Icegram Express plugin for WordPress versions up to, and including, 5.7.19

Description The issue is related to a missing capability check on the handle ajax request function, allowing authenticated attackers with subscriber-level access and above to cause loss of confidentiality, integrity, and availability by performing unauthorized actions. These actions could also be used to conduct PHP Object Injection and SQL Injection attacks.

Recommendations For versions up to, and including, 5.7.19, consider disabling the handle ajax request function as a temporary workaround until a patch is available. Restrict access to the plugin's AJAX functionality to minimize the risk of exploitation. Avoid using the plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.