{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-68038", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:01:03.747Z", "datePublished": "2025-12-24T13:10:25.043Z", "dateUpdated": "2026-04-28T16:14:27.348Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "email-subscribers-premium", "product": "Icegram Express Pro", "vendor": "Icegram", "versions": [{"changes": [{"at": "5.9.14", "status": "unaffected"}], "lessThanOrEqual": "5.9.14", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "theviper17 | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:23:09.826Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Object Injection.<p>This issue affects Icegram Express Pro: from n/a through < 5.9.14.</p>"}], "value": "Deserialization of Untrusted Data vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Object Injection.This issue affects Icegram Express Pro: from n/a through < 5.9.14."}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "description": "Deserialization of Untrusted Data", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:27.348Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/email-subscribers-premium/vulnerability/wordpress-icegram-express-pro-plugin-5-9-11-php-object-injection-vulnerability?_s_id=cve"}], "title": "WordPress Icegram Express Pro plugin < 5.9.14 - PHP Object Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-27T18:28:27.953502Z", "id": "CVE-2025-68038", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:28:30.292Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-68038", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-27T18:28:27.953502Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-24T18:53:59.864Z"}}], "cna": {"title": "WordPress Icegram Express Pro plugin < 5.9.14 - PHP Object Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "theviper17 | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-586", "descriptions": [{"lang": "en", "value": "Object Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Icegram", "product": "Icegram Express Pro", "versions": [{"status": "affected", "changes": [{"at": "5.9.14", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "5.9.14"}], "packageName": "email-subscribers-premium", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:23:09.826Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/email-subscribers-premium/vulnerability/wordpress-icegram-express-pro-plugin-5-9-11-php-object-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Object Injection.This issue affects Icegram Express Pro: from n/a through < 5.9.14.", "supportingMedia": [{"type": "text/html", "value": "Deserialization of Untrusted Data vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Object Injection.<p>This issue affects Icegram Express Pro: from n/a through < 5.9.14.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:55.759Z"}}}, "cveMetadata": {"cveId": "CVE-2025-68038", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:28:30.292Z", "dateReserved": "2025-12-15T10:01:03.747Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2025-12-24T13:10:25.043Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Deserialization of Untrusted Data vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Object Injection.This issue affects Icegram Express Pro: from n/a through < 5.9.14."}], "id": "CVE-2025-68038", "lastModified": "2026-04-27T19:16:23.060", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2025-12-24T13:16:19.807", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/email-subscribers-premium/vulnerability/wordpress-icegram-express-pro-plugin-5-9-11-php-object-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T18:27:14.814227+00:00", "value": {"mitigation_remediation": ["Upgrade Icegram Express Pro to version 5.9.14 or newer to apply the deserialization safeguard. ", "If an update cannot be performed immediately, temporarily deactivate or remove the plugin to eliminate the attack surface. ", "Monitor incoming requests and server logs for attempts to unserialize data, and consider implementing a web application firewall rule to detect known malicious serialized payloads."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "WordPress sites that have the Icegram Express Pro email\u2011subscribers plugin installed with a version earlier than 5.9.14 are affected. The issue does not apply to versions 5.9.14 and newer, which have applied the necessary safeguard against unserialization of untrusted data.", "description_and_impact": "Deserialization of untrusted data in the Icegram Express Pro plugin allows an attacker to perform PHP object injection by providing a crafted serialized string. The vulnerability is a classic instance of CWE\u2011502, where the plugin fails to properly safeguard against malicious input during unserialization, enabling the attacker to instantiate arbitrary objects or invoke arbitrary methods that can lead to code execution or modification of sensitive data.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a high risk of serious impact, while the EPSS score of less than 1% suggests that exploitation attempts are currently low in probability. The vulnerability is not listed in the CISA KEV catalog, implying no known widespread exploitation at this time. The likely attack vector would involve sending a malicious serialized payload to the plugin\u2019s endpoint or to a location where the plugin processes user\u2011supplied data, such as form submissions or query parameters. Successful exploitation would grant the attacker remote code execution capabilities on the affected WordPress installation."}}}}, "created": "2025-12-29T23:04:39.163533+00:00", "updated": "2026-04-28T18:30:37.342046+00:00", "vendors": ["icegram", "icegram$PRODUCT$icegram_express", "wordpress", "wordpress$PRODUCT$wordpress"]}