漏洞描述
WordPress插件Icegram Express -邮件营销,新闻通讯,WordPress和WooCommerce自动化存在SQL注入漏洞。该漏洞存在于所有版本,包括5.7.14,通过'IG_ES_Subscribers_Query'类的'run'函数,由于对用户提供的参数逃逸不足以及对现有SQL查询准备不足。这使得未授权的攻击者可以将额外的SQL查询追加到已存在的查询中,从而可以提取数据库中的敏感信息。
WordPress Icegram Express 电子邮件订阅者存在SQL注入漏洞 (CVE-2024-2876)
PoC代码
暂无相关漏洞推荐
- WordPress Yoco Payments plugin /wp-json/yoco/logs 目录遍历漏洞(CVE-2025-13801)
- POC CVE-2012-10018: WordPress Mapplic <= 6.1 / Mapplic Lite <= 1.0 - Authenticated Stored XSS via SVG File Upload
- POC CVE-2024-29138: WordPress Restrict User Access <= 2.5 - Cross-Site Scripting
- POC wordpress-elementor-fpd: WordPress Elementor Page Builder - Full Path Disclosure
- POC wordpress-menu-image-fpd: WordPress Menu Image - Full Path Disclosure
- POC CVE-2015-8350: WordPress Calls to Action <=2.4.3 - Authenticated Reflected XSS
- POC CVE-2017-18580: WordPress Shortcodes Ultimate <= 5.0.0 - Authenticated Remote Code Execution
- POC CVE-2020-12832: WordPress Simple File List - Path Traversal
- POC CVE-2021-24657: Limit Login Attempts WordPress - Stored Cross-site Scripting
- POC CVE-2021-24681: Duplicate Page WordPress - Stored Cross-Site Scripting
- POC CVE-2021-25082: WordPress Popup Builder < 4.0.7 - Remote Code Execution
- POC CVE-2022-0765: WordPress Loco Translate < 2.6.1 - Cross-Site Scripting
- POC CVE-2022-0873: WordPress Gmedia Photo Gallery Plugin < 1.20.0 - Cross-Site Scripting