CVE-2025-12348

Name of the Vulnerable Software and Affected Versions Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress versions up to and including 5.9.10

Description The Icegram Express plugin for WordPress does not properly verify user authorization when performing actions. Specifically, the run action scheduler task function lacks sufficient checks, allowing unauthenticated attackers to execute scheduled actions prematurely or repeatedly. This is achieved by guessing action IDs, which could trigger email sends, maintenance tasks, or other privileged operations, leading to unexpected system behavior and resource consumption.

Recommendations Versions prior to 5.9.10 are vulnerable. Update to a version greater than 5.9.10.