Vulnerabilities > Icegram
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-11-07 | CVE-2022-45810 | Improper Neutralization of Formula Elements in a CSV File vulnerability in Icegram Express Improper Neutralization of Formula Elements in a CSV File vulnerability in Icegram Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce.This issue affects Icegram Express – Email Marketing, Newsletters and Automation for WordPress & WooCommerce: from n/a through 5.5.2. | 9.8 |
| 2023-10-20 | CVE-2023-5414 | Path Traversal vulnerability in Icegram Express The Icegram Express plugin for WordPress is vulnerable to Directory Traversal in versions up to, and including, 5.6.23 via the show_es_logs function. | 7.2 |
| 2023-06-12 | CVE-2023-2398 | Unspecified vulnerability in Icegram Engage The Icegram Engage WordPress plugin before 3.1.12 does not escape a parameter before outputting it back in an attribute, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 6.1 |
| 2023-04-07 | CVE-2023-25024 | Cross-site Scripting vulnerability in Icegram Collect Auth. | 4.8 |
| 2022-12-12 | CVE-2022-3981 | Unspecified vulnerability in Icegram Email Subscribers & Newsletters The Icegram Express WordPress plugin before 5.5.1 does not properly sanitise and escape a parameter before using it in a SQL statement, leading to a SQL injection exploitable by any authenticated users, such as subscriber | 8.8 |
| 2022-06-27 | CVE-2022-1776 | Cross-site Scripting vulnerability in Icegram Popups, Welcome Bar, Optins and Lead Generation Plugin The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress plugin before 2.1.8 does not sanitize and escape some campaign parameters, which could allow users with a role as low as contributor to perform Stored Cross-Site Scripting attacks | 5.4 |
| 2022-03-07 | CVE-2022-0439 | SQL Injection vulnerability in Icegram Email Subscribers & Newsletters The Email Subscribers & Newsletters WordPress plugin before 5.3.2 does not correctly escape the `order` and `orderby` parameters to the `ajax_fetch_report_list` action, making it vulnerable to blind SQL injection attacks by users with roles as low as Subscriber. | 8.8 |
| 2021-12-21 | CVE-2021-24941 | Cross-site Scripting vulnerability in Icegram The Popups, Welcome Bar, Optins and Lead Generation Plugin WordPress plugin before 2.0.5 does not sanitise and escape the message_id parameter of the get_message_action_row AJAX action before outputting it back in an attribute, leading to a reflected Cross-Site Scripting issue | 6.1 |
| 2021-10-19 | CVE-2021-36832 | Cross-site Scripting vulnerability in Icegram Engage WordPress Popups, Welcome Bar, Optins and Lead Generation Plugin – Icegram (versions <= 2.0.2) vulnerable at "Headline" (&message_data[16][headline]) input. | 5.4 |
| 2020-09-10 | CVE-2020-5780 | Missing Authentication for Critical Function vulnerability in Icegram Email Subscribers & Newsletters Missing Authentication for Critical Function in Icegram Email Subscribers & Newsletters Plugin for WordPress prior to version 4.5.6 allows a remote, unauthenticated attacker to conduct unauthenticated email forgery/spoofing. | 5.3 |