CVE-2024-4845 is a SQL Injection vulnerability classified under CWE-89 found in the Icegram Express plugin for WordPress, which is widely used for email marketing, newsletters, and automation in WordPress and WooCommerce environments. The vulnerability arises from improper neutralization of special elements in the 'options[list_id]' parameter, which is insufficiently escaped and not properly prepared in the SQL query. This flaw allows authenticated attackers with Subscriber-level access or higher to append arbitrary SQL commands to existing queries. Because the plugin does not adequately sanitize or parameterize this input, attackers can manipulate the database query to extract sensitive information such as user data, email lists, or other confidential content stored in the database. The vulnerability affects all versions up to 5.7.22, making it broadly impactful for users who have not updated. The CVSS 3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required beyond authentication. Although no public exploits have been reported yet, the vulnerability's nature and ease of exploitation pose a significant risk. The plugin’s role in managing email subscribers and marketing data means that exploitation could lead to data leakage, unauthorized data manipulation, or disruption of marketing operations.

The impact of CVE-2024-4845 is substantial for organizations using the Icegram Express plugin on WordPress sites, especially those handling sensitive customer or subscriber data. Successful exploitation can lead to unauthorized disclosure of sensitive information, including subscriber lists, personal data, and potentially administrative credentials if stored in the database. This compromises confidentiality and can lead to privacy violations and regulatory non-compliance. Integrity of data is also at risk, as attackers could modify or delete records, disrupting marketing campaigns or corrupting data. Availability may be affected if attackers execute destructive queries or cause database errors. Given the plugin’s integration with WooCommerce, e-commerce operations could be disrupted, impacting business continuity and revenue. The requirement for only Subscriber-level access lowers the barrier for exploitation, increasing the threat surface. Organizations worldwide that rely on WordPress for marketing and e-commerce are at risk of data breaches, reputational damage, and financial losses.

To mitigate CVE-2024-4845, organizations should immediately update the Icegram Express plugin to a version that addresses this vulnerability once released by the vendor. Until a patch is available, restrict Subscriber-level access and review user roles to minimize the number of users with such privileges. Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the 'options[list_id]' parameter. Conduct thorough input validation and sanitization on all user-supplied data at the application level. Regularly audit database queries and logs for unusual activity that may indicate exploitation attempts. Employ the principle of least privilege for database accounts used by the plugin to limit the scope of potential damage. Additionally, monitor WordPress and plugin security advisories for updates and apply security patches promptly. Consider isolating critical marketing and e-commerce systems to reduce lateral movement in case of compromise.