CVE-2024-8254

Name of the Vulnerable Software and Affected Versions: Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce plugin for WordPress versions up to, and including, 5.7.34

Description: The issue is related to arbitrary shortcode execution due to the software allowing users to execute an action that does not properly validate a value before running do shortcode(). This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes.

Recommendations: For versions up to, and including, 5.7.34, update to a version that fixes the arbitrary shortcode execution issue. As a temporary workaround, consider restricting access to the do shortcode() function until a patch is available. Restrict access to the plugin's functionality for users with Subscriber-level access and above to minimize the risk of exploitation.