CVE-2025-68038
CRITICALCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Tags
Description
Deserialization of Untrusted Data vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Object Injection.This issue affects Icegram Express Pro: from n/a through < 5.9.14.
Analysis
PHP object injection in Icegram Express Pro (WordPress email marketing plugin) through version 5.9.13 enables unauthenticated remote attackers to execute arbitrary code via unsafe deserialization of user-controlled data. With CVSS 9.8 (critical severity) and network-accessible attack vector requiring no authentication or user interaction, this represents a severe pre-authentication RCE risk. EPSS score of 0.06% (19th percentile) suggests low immediate exploitation probability, and no public exploit or CISA KEV listing identified at time of analysis, though Patchstack disclosure increases attacker awareness.
Technical Context
This vulnerability stems from unsafe PHP deserialization (CWE-502), a class of flaws where applications reconstruct serialized objects from untrusted sources without validation. In PHP environments, the unserialize() function can instantiate arbitrary classes and trigger magic methods (__wakeup, __destruct, __toString), allowing attackers to leverage existing code (gadget chains) within WordPress core, plugins, or themes to achieve remote code execution. Icegram Express Pro is a premium WordPress email subscription and marketing plugin. The affected component processes serialized data from network requests without proper sanitization, creating an object injection vector. Unlike simple SQL injection or XSS, PHP object injection requires specific gadget chains in the application environment to weaponize, but successful exploitation typically yields complete server compromise. The vulnerability affects all versions prior to 5.9.14 according to vendor advisory.
Affected Products
Icegram Express Pro (previously marketed as email-subscribers-premium), a commercial WordPress plugin for email marketing and subscriber management, versions from earliest release through 5.9.13 inclusive. The Patchstack reference specifically identifies version 5.9.11 as vulnerable, with the CVE range indicating all versions below 5.9.14 remain affected. This is a premium/paid plugin distributed through Icegram's commercial channels rather than the WordPress.org repository, which may limit deployment scope compared to free alternatives. Administrators can verify installed version through WordPress admin dashboard under Plugins section or by inspecting the plugin header in wp-content/plugins/email-subscribers-premium/ directory.
Remediation
Immediately upgrade Icegram Express Pro to version 5.9.14 or later, which addresses the unsafe deserialization vulnerability according to vendor advisory at Patchstack (https://patchstack.com/database/Wordpress/Plugin/email-subscribers-premium/vulnerability/wordpress-icegram-express-pro-plugin-5-9-11-php-object-injection-vulnerability). Updates for premium plugins typically require downloading from the vendor's customer portal or using the plugin's built-in update mechanism with valid license key. Prior to patching, administrators should review web server logs for suspicious POST requests containing serialized PHP data patterns (strings beginning with a: O: or C:) to API endpoints or form handlers as potential exploitation indicators. If immediate patching is not feasible, implement web application firewall rules to inspect and block requests containing serialized object patterns, restrict plugin administrative functions to trusted IP ranges, and ensure WordPress core and all other plugins are current to minimize available gadget chains. No compensating controls fully mitigate object injection risks; patching remains the only reliable remediation.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today