{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12349", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-27T14:22:50.164Z", "datePublished": "2025-11-19T04:28:18.783Z", "dateUpdated": "2026-04-08T16:34:50.368Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:50.368Z"}, "affected": [{"vendor": "icegram", "product": "Email Subscribers & Newsletters \u2013 Email Marketing, Post Notifications & Newsletter Plugin for WordPress", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.9.10", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `trigger_mailing_queue_sending` function. This makes it possible for unauthenticated attackers to force immediate email sending, bypass the schedule, increase server load, and change plugin state (e.g., last-cron-hit), enabling abuse or DoS-like effects."}], "title": "Email Subscribers & Newsletters <= 5.9.10 - Missing Authentication to Unauthenticated Mailing Queue Trigger", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0b4cbe21-9f1b-425b-8141-ae075baaf717?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L54"}, {"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L1132"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394838%40email-subscribers%2Ftrunk&old=3393565%40email-subscribers%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-306 Missing Authentication for Critical Function", "cweId": "CWE-306", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Adrian Lukita"}], "timeline": [{"time": "2025-11-18T16:15:48.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-19T20:10:16.949251Z", "id": "CVE-2025-12349", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-19T20:10:33.978Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12349", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-19T20:10:16.949251Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-19T20:10:28.316Z"}}], "cna": {"title": "Email Subscribers & Newsletters <= 5.9.10 - Missing Authentication to Unauthenticated Mailing Queue Trigger", "credits": [{"lang": "en", "type": "finder", "value": "Adrian Lukita"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "icegram", "product": "Email Subscribers & Newsletters \u2013 Email Marketing, Post Notifications & Newsletter Plugin for WordPress", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.9.10"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-18T16:15:48.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0b4cbe21-9f1b-425b-8141-ae075baaf717?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L54"}, {"url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L1132"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394838%40email-subscribers%2Ftrunk&old=3393565%40email-subscribers%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `trigger_mailing_queue_sending` function. This makes it possible for unauthenticated attackers to force immediate email sending, bypass the schedule, increase server load, and change plugin state (e.g., last-cron-hit), enabling abuse or DoS-like effects."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:50.368Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12349", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:34:50.368Z", "dateReserved": "2025-10-27T14:22:50.164Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-19T04:28:18.783Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the `trigger_mailing_queue_sending` function. This makes it possible for unauthenticated attackers to force immediate email sending, bypass the schedule, increase server load, and change plugin state (e.g., last-cron-hit), enabling abuse or DoS-like effects."}], "id": "CVE-2025-12349", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-19T05:16:00.083", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L1132"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.4/lite/includes/classes/class-es-queue.php#L54"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3394838%40email-subscribers%2Ftrunk&old=3393565%40email-subscribers%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0b4cbe21-9f1b-425b-8141-ae075baaf717?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:37:44.237439+00:00", "value": {"mitigation_remediation": ["Upgrade the plugin to version 5.9.11 or later", "If an upgrade is not yet available, block or restrict access to the trigger_mailing_queue_sending endpoint using a web application firewall or similar controls", "Disable or limit marketing automation or newsletter sending features within the plugin settings until a patch is applied"], "summary": {"action": "Patch Now", "impact": "Authorization bypass allows unauthenticated users to trigger immediate email sending, increasing server load and enabling spam or denial of service"}, "threat_synthesis": {"affected_systems": "Icegram Email Subscribers & Newsletters WordPress plugin for versions 5.9.10 and earlier is affected. Users of any installation running these or earlier versions are within scope.", "description_and_impact": "The Icegram Email Subscribers & Newsletters plugin for WordPress contains an authorization flaw that permits unauthenticated attackers to invoke the trigger_mailing_queue_sending function. This flaw lets an attacker force the plugin to send emails immediately, bypass scheduled sending, alter plugin state such as the last-cron-hit property, and potentially overload the server with outbound mail, creating spam or DoS\u2011like effects.", "risk_and_exploitability": "With a CVSS score of 5.3, the severity is moderate. The EPSS score of less than 1% indicates a very low probability of exploitation at the time of assessment, and the vulnerability is not listed in CISA KEV. The attack vector is inferred to be remote via an unauthenticated HTTP request to the plugin\u2019s queue trigger endpoint, which can be performed by any internet-connected user with access to the site\u2019s public URLs."}}}}, "created": "2025-11-20T10:31:00.422590+00:00", "updated": "2026-04-22T16:45:21.459092+00:00", "vendors": ["icegram", "icegram$PRODUCT$email_subscribers_&_newsletters", "wordpress", "wordpress$PRODUCT$wordpress"]}