CVE-2024-8254 is a vulnerability classified under CWE-94 (Improper Control of Generation of Code) affecting the 'Email Subscribers by Icegram Express' WordPress plugin, which is widely used for email marketing, newsletters, and automation in WordPress and WooCommerce environments. The flaw exists because the plugin improperly validates user-supplied input before passing it to the WordPress function do_shortcode, which executes shortcodes. This improper validation allows authenticated users with Subscriber-level privileges or higher to inject and execute arbitrary shortcodes. Since shortcodes can trigger PHP code execution or other plugin functionality, this can lead to unauthorized actions within the WordPress site context. The vulnerability affects all plugin versions up to and including 5.7.34. The attack vector is network-based and requires low attack complexity, with no user interaction needed beyond authentication. The scope is limited to the affected plugin and the WordPress environment it runs on. The CVSS v3.1 base score is 5.4, indicating medium severity, with impacts primarily on confidentiality and integrity but not availability. No public exploits have been reported yet, but the vulnerability poses a risk especially in environments where subscriber accounts are easily created or compromised.

The vulnerability allows attackers with subscriber-level access to execute arbitrary shortcodes, which can lead to unauthorized disclosure or modification of data within the WordPress site. This can compromise the confidentiality and integrity of the site’s content and potentially user data managed by the plugin or other integrated components. While it does not directly impact system availability, the ability to execute arbitrary code snippets could be leveraged for further attacks, including privilege escalation or persistent backdoors if combined with other vulnerabilities. Organizations relying on this plugin for email marketing and automation may face reputational damage, data leakage, or manipulation of marketing content. The risk is heightened in sites with weak user access controls or where subscriber accounts are frequently created by external users. Since the plugin is used globally, the impact can be widespread, affecting small to large businesses using WordPress and WooCommerce for customer engagement.

1. Immediately update the 'Email Subscribers by Icegram Express' plugin to a version that patches this vulnerability once available. 2. Until a patch is released, restrict subscriber-level user capabilities to prevent shortcode execution by limiting access to plugin features or disabling shortcode processing for low-privilege users. 3. Implement strict user role management and monitor for unusual shortcode usage or content changes in the WordPress admin area. 4. Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious shortcode injection attempts. 5. Regularly audit installed plugins and user permissions to minimize the attack surface. 6. Educate site administrators about the risks of allowing subscriber-level users to execute code and encourage strong authentication practices to prevent account compromise. 7. Monitor security advisories from the vendor and WordPress security communities for updates and exploit reports.