Have you found a vulnerability in a WordPress plugin or theme? Report vulnerabilities in WordPress plugins and themes through our bug bounty program and earn a bounty on all in-scope submissions, while we handle the responsible disclosure process on your behalf.

Icegram Express formerly known as Email Subscribers – The Ultimate Email Marketing & Automation Plugin for WordPress

Wordfence Intelligence > Vulnerability Database > WordPress Plugins > Icegram Express formerly known as Email Subscribers – The Ultimate Email Marketing & Automation Plugin for WordPress

Information

Software Type	Plugin
Software Slug	email-subscribers (view on wordpress.org)
Software Status	Active
Software Author	icegram
Software Website	www.icegram.com
Software Downloads	11,658,430
Software Active Installs	80,000
Software Record Last Updated	April 3, 2025

Showing 1-20 of 36 Vulnerabilities

Submit a Vulnerability

Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce <= 5.7.44 - Authenticated (Admin+) Stored Cross-Site Scripting via Workflow Settings

4.4

CVE-2024-12568

Dec 23, 2024

Researcher: Dmitrii Ignatyev

Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce <= 5.7.44 - Authenticated (Admin+) Stored Cross-Site Scripting via Form Settings

4.4

CVE-2024-12567

Dec 23, 2024

Researcher: Dmitrii Ignatyev

Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce <= 5.7.44 - Authenticated (Admin+) Stored Cross-Site Scripting via Text Block

4.4

CVE-2024-11636

Dec 23, 2024

Researcher: Dmitrii Ignatyev

Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce <= 5.7.44 - Authenticated (Admin+) Stored Cross-Site Scripting

4.4

CVE-2024-12566

Dec 23, 2024

Researcher: Dmitrii Ignatyev

Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce <= 5.7.43 - Authenticated (Admin+) SQL Injection

4.9

CVE-2024-12311

Dec 16, 2024

Researcher: Dmitrii Ignatyev

Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce <= 5.7.34 - Authenticated (Subscriber+) Arbitrary Shortcode Execution

5.4

CVE-2024-8254

Oct 1, 2024

Researcher: Arkadiusz Hydzik

Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce <= 5.7.34 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure

4.3

CVE-2024-8771

Sep 25, 2024

Researcher: Michelle Porter

Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin <= 5.7.26 - Missing Authorization

4.3

CVE-2024-5703

Jul 16, 2024

Researcher: Arkadiusz Hydzik

Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce <= 5.7.25 - Unauthenticated SQL Injection via unsubscribe

9.8

CVE-2024-6172

Jul 1, 2024

Researcher: shaman0x01

Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin <= 5.7.23 - Unauthenticated SQL Injection via optin

9.8

CVE-2024-5756

Jun 20, 2024

Researcher: Arkadiusz Hydzik

Icegram Express <= 5.7.22 - Authenticated (Subscriber+) SQL Injection Vulnerability via options[list_id]

8.8

CVE-2024-4845

Jun 11, 2024

Researcher: Arkadiusz Hydzik

Email Subscribers by Icegram Express <= 5.7.20 - Unauthenticated SQL Injection via hash

9.8

CVE-2024-4295

Jun 4, 2024

Researcher: 1337_Wannabe

Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce <= 5.7.17 - Missing Authorization

4.3

CVE-2024-3626

May 22, 2024

Researcher: Thura Moe Myint (mgthuramoemyint)

Email Subscribers by Icegram Express <= 5.7.19 - Missing Authorization in handle_ajax_request

8.8

CVE-2024-4010

May 14, 2024

Researcher: Arkadiusz Hydzik

Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin <= 5.7.14 - Unauthenticated SQL Injection

9.8

CVE-2024-2876

Apr 15, 2024

Researcher: Arkadiusz Hydzik

Email Subscribers & Newsletters <= 5.7.13 - Missing Authorization

5.3

CVE-2024-31352

Apr 5, 2024

Researcher: Kévin Mosbahi (Mika)

Icegram Express <= 5.7.14 - Authenticated (Administrator+) Cross-Site Scripting via CSV import

4.4

CVE-2024-2656

Apr 5, 2024

Researcher: Peter17

Email Subscribers & Newsletters <= 5.7.11 - Reflected Cross-Site Scripting via campaign_id

6.1

CVE-2024-22300

Mar 26, 2024

Researcher: Rafie Muhammad

Icegram Express <= 5.6.23 - Authenticated (Administrator+) Directory Traversal to Arbitrary File Read

9.1

CVE-2023-5414

Oct 11, 2023

Researcher: Marco Wotschka

Icegram Express <= 5.5.2 - Unauthenticated CSV Injection

6.5

CVE-2022-45810

Feb 6, 2023

Researcher: Kévin Mosbahi (Mika)

Title	Status	CVE ID	CVSS	Researchers	Date
Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce <= 5.7.44 - Authenticated (Admin+) Stored Cross-Site Scripting via Workflow Settings	Patched	CVE-2024-12568	4.4	Dmitrii Ignatyev	December 23, 2024
Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce <= 5.7.44 - Authenticated (Admin+) Stored Cross-Site Scripting via Form Settings	Patched	CVE-2024-12567	4.4	Dmitrii Ignatyev	December 23, 2024
Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce <= 5.7.44 - Authenticated (Admin+) Stored Cross-Site Scripting via Text Block	Patched	CVE-2024-11636	4.4	Dmitrii Ignatyev	December 23, 2024
Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce <= 5.7.44 - Authenticated (Admin+) Stored Cross-Site Scripting	Patched	CVE-2024-12566	4.4	Dmitrii Ignatyev	December 23, 2024
Email Subscribers by Icegram Express – Affordable, Powerful Email Marketing for WordPress & WooCommerce <= 5.7.43 - Authenticated (Admin+) SQL Injection	Patched	CVE-2024-12311	4.9	Dmitrii Ignatyev	December 16, 2024
Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce <= 5.7.34 - Authenticated (Subscriber+) Arbitrary Shortcode Execution	Patched	CVE-2024-8254	5.4	Arkadiusz Hydzik	October 1, 2024
Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce <= 5.7.34 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure	Patched	CVE-2024-8771	4.3	Michelle Porter	September 25, 2024
Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin <= 5.7.26 - Missing Authorization	Patched	CVE-2024-5703	4.3	Arkadiusz Hydzik	July 16, 2024
Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce <= 5.7.25 - Unauthenticated SQL Injection via unsubscribe	Patched	CVE-2024-6172	9.8	shaman0x01	July 1, 2024
Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin <= 5.7.23 - Unauthenticated SQL Injection via optin	Patched	CVE-2024-5756	9.8	Arkadiusz Hydzik	June 20, 2024
Icegram Express <= 5.7.22 - Authenticated (Subscriber+) SQL Injection Vulnerability via options[list_id]	Patched	CVE-2024-4845	8.8	Arkadiusz Hydzik	June 11, 2024
Email Subscribers by Icegram Express <= 5.7.20 - Unauthenticated SQL Injection via hash	Patched	CVE-2024-4295	9.8	1337_Wannabe	June 4, 2024
Email Subscribers by Icegram Express – Email Marketing, Newsletters, Automation for WordPress & WooCommerce <= 5.7.17 - Missing Authorization	Patched	CVE-2024-3626	4.3	Thura Moe Myint (mgthuramoemyint)	May 22, 2024
Email Subscribers by Icegram Express <= 5.7.19 - Missing Authorization in handle_ajax_request	Patched	CVE-2024-4010	8.8	Arkadiusz Hydzik	May 14, 2024
Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin <= 5.7.14 - Unauthenticated SQL Injection	Patched	CVE-2024-2876	9.8	Arkadiusz Hydzik	April 15, 2024
Email Subscribers & Newsletters <= 5.7.13 - Missing Authorization	Patched	CVE-2024-31352	5.3	Kévin Mosbahi (Mika)	April 5, 2024
Icegram Express <= 5.7.14 - Authenticated (Administrator+) Cross-Site Scripting via CSV import	Patched	CVE-2024-2656	4.4	Peter17	April 5, 2024
Email Subscribers & Newsletters <= 5.7.11 - Reflected Cross-Site Scripting via campaign_id	Patched	CVE-2024-22300	6.1	Rafie Muhammad	March 26, 2024
Icegram Express <= 5.6.23 - Authenticated (Administrator+) Directory Traversal to Arbitrary File Read	Patched	CVE-2023-5414	9.1	Marco Wotschka	October 11, 2023
Icegram Express <= 5.5.2 - Unauthenticated CSV Injection	Patched	CVE-2022-45810	6.5	Kévin Mosbahi (Mika)	February 6, 2023

Did you know Wordfence Intelligence provides free personal and commercial API access to our comprehensive WordPress vulnerability database, along with a free webhook integration to stay on top of the latest vulnerabilities added and updated in the database? Get started today!

Learn more

Want to get notified of the latest vulnerabilities that may affect your WordPress site?
Install Wordfence on your site today to get notified immediately if your site is affected by a vulnerability that has been added to our database.

Get Wordfence

The Wordfence Intelligence WordPress vulnerability database is completely free to access and query via API. Please review the documentation on how to access and consume the vulnerability data via API.

Documentation

Icegram Express formerly known as Email Subscribers – The Ultimate Email Marketing & Automation Plugin for WordPress

Information

Showing 1-20 of 36 Vulnerabilities

Cookie Options

Strictly Necessary

Performance/Analytical

Targeting