5.3
CVE-2025-12348
- EPSS 0.38%
- Veröffentlicht 12.12.2025 09:20:29
- Zuletzt bearbeitet 15.04.2026 00:35:42
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
Email Subscribers & Newsletters <= 5.9.10 - Missing Authentication to Unauthenticated Action Scheduler Task Execution
Email Subscribers & Newsletters <= 5.9.10 - Missing Authentication to Unauthenticated Action Scheduler Task Execution
The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `run_action_scheduler_task` function. This makes it possible for unauthenticated attackers to execute scheduled actions early or repeatedly by guessing action IDs, potentially triggering email sends, maintenance tasks, or other privileged operations, causing unexpected state changes and resource usage.
Mögliche Gegenmaßnahme
Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress: Update to version 5.9.11, or a newer patched version
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellericegram
≫
Produkt
Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress
Default Statusunaffected
Version <=
5.9.10
Version
0
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginWeitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress
Version
*-5.9.10
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.38% | 0.291 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@wordfence.com | 5.3 | 3.9 | 1.4 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
|
CWE-306 Missing Authentication for Critical Function
The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
https://www.wordfence.com/threat-intel/vulnerabilities/id/c6ba7244-0ecf-412f-9b8b-6b81fa6cdeb5?source=cve
https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L50
https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-ig-es-background-process-helper.php#L194
https://plugins.trac.wordpress.org/changeset/3394838/email-subscribers/trunk/lite/includes/classes/class-ig-es-background-process-helper.php
https://www.wordfence.com/threat-intel/vulnerabilities/id/c6ba7244-0ecf-412f-9b8b-6b81fa6cdeb5