CVE-2024-4295: 
WordPress vulnerability analysis and mitigation

The Email Subscribers by Icegram Express plugin for WordPress has been identified with a critical security vulnerability (CVE-2024-4295) discovered in June 2024. The vulnerability affects all versions up to and including 5.7.20, impacting over 90,000 active installations. Security researcher 1337_Wannabe is credited with discovering this flaw (Security Online).

The vulnerability is classified as an SQL Injection flaw via the 'hash' parameter, stemming from insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries. The severity of this vulnerability is rated at 9.8 CVSS (Critical), with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD, CVE Mitre).

The vulnerability allows unauthenticated attackers to append additional SQL queries to existing ones, potentially leading to the exposure of sensitive information from the database, including user data and website credentials. With over 90,000 active installations affected, the scope of potential impact is substantial (Security Online).

A patch has been released in version 5.7.21 of the Email Subscribers plugin. Website administrators are strongly advised to update their installations immediately to this latest version to address the SQL injection vulnerability (Wordpress Patch).