5.3
CVE-2025-12348
- EPSS 0.1%
- Veröffentlicht 12.12.2025 09:20:29
- Zuletzt bearbeitet 12.12.2025 15:17:31
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
Email Subscribers & Newsletters <= 5.9.10 - Missing Authentication to Unauthenticated Action Scheduler Task Execution
The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `run_action_scheduler_task` function. This makes it possible for unauthenticated attackers to execute scheduled actions early or repeatedly by guessing action IDs, potentially triggering email sends, maintenance tasks, or other privileged operations, causing unexpected state changes and resource usage.
Mögliche Gegenmaßnahme
Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress: Update to version 5.9.11, or a newer patched version
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginWeitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress
Version
*-5.9.10
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellericegram
≫
Produkt
Email Subscribers & Newsletters – Powerful Email Marketing, Post Notification & Newsletter Plugin for WordPress & WooCommerce
Default Statusunaffected
Version <=
5.9.10
Version
*
Status
affected
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.1% | 0.265 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@wordfence.com | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
CWE-306 Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.