Vulnerability Description
The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `trigger_mailing_queue_sending` function. This makes it possible for unauthenticated attackers to force immediate email sending, bypass the schedule, increase server load, and change plugin state (e.g., last-cron-hit), enabling abuse or DoS-like effects.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/inc
- https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/inc
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new
- https://www.wordfence.com/threat-intel/vulnerabilities/id/0b4cbe21-9f1b-425b-814
FAQ
What is CVE-2025-12349?
CVE-2025-12349 is a vulnerability with a CVSS score of 5.3 (MEDIUM). The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Authorization in versions up to, and including, 5.9.10. This is due to the plugin no...
How severe is CVE-2025-12349?
CVE-2025-12349 has been rated MEDIUM with a CVSS base score of 5.3/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-12349?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.