Overview
CVE-2025-12349 describes an authorization vulnerability affecting the Icegram Express – Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress. Specifically, versions up to and including 5.9.10 are susceptible. This flaw allows unauthenticated attackers to trigger immediate email sending, bypassing scheduled delivery and potentially overwhelming the server with a flood of emails, leading to Denial of Service (DoS) conditions.
Technical Details
The vulnerability resides in the trigger_mailing_queue_sending function within the plugin. The core issue is the lack of proper authorization checks before executing this function. This means an attacker can directly call this function without needing to authenticate as a legitimate user with the necessary permissions. This vulnerability can be found in file lite/includes/classes/class-es-queue.php. The vulnerable code exists between lines 1132 and 54.
By exploiting this lack of authorization, an attacker can:
- Force immediate email sending, overriding any scheduled email delivery configurations.
- Increase server load significantly, potentially causing performance degradation or even server crashes.
- Modify the plugin’s state, such as the
last-cron-hitvalue, further disrupting normal operation and potentially enabling other forms of abuse.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-12349 is 5.3 (MEDIUM). This score reflects the fact that the vulnerability is exploitable remotely without authentication, and while it does not directly compromise data confidentiality or integrity, it can significantly impact availability due to the potential for DoS attacks.
Possible Impact
The impact of this vulnerability can range from minor disruptions to severe service outages. Specifically, successful exploitation could lead to:
- Denial of Service (DoS): By forcing the server to send a large volume of emails, an attacker can overwhelm the server’s resources, making the website or email service unavailable to legitimate users.
- Resource Exhaustion: The excessive email sending can consume significant bandwidth and processing power, impacting the performance of other services hosted on the same server.
- Reputation Damage: Sending unsolicited or malicious emails can harm the website’s reputation and lead to blacklisting of the server’s IP address.
Mitigation or Patch Steps
The recommended mitigation is to update the Icegram Express plugin to the latest version. The vulnerability has been patched in versions newer than 5.9.10. The patch likely involves adding proper authorization checks to the trigger_mailing_queue_sending function to ensure that only authorized users can trigger email sending.
If updating the plugin is not immediately possible, consider temporarily disabling the Icegram Express plugin until the update can be applied. This will prevent attackers from exploiting the vulnerability.
