CVE-2025-12348 is a vulnerability classified under CWE-306 (Missing Authentication for Critical Function) affecting the Icegram Express plugin for WordPress and WooCommerce, specifically versions up to and including 5.9.10. The vulnerability arises because the plugin's run_action_scheduler_task function does not properly verify whether a user is authorized to execute scheduled actions. This lack of authentication allows unauthenticated attackers to guess valid action IDs and trigger scheduled tasks prematurely or multiple times. These tasks can include sending marketing emails, running maintenance routines, or other privileged operations that the plugin schedules. Exploitation of this flaw can lead to unintended state changes within the plugin's operation, such as repeated email blasts or excessive resource consumption on the hosting server. Although the vulnerability does not expose sensitive data or directly cause denial of service, it undermines the integrity of the plugin's scheduled functions and can disrupt normal marketing and notification workflows. The vulnerability is remotely exploitable without any user interaction or privileges, increasing its risk profile. No patches or fixes are currently linked, and no active exploitation has been reported. The CVSS v3.1 score is 5.3, indicating a medium severity level primarily due to the lack of authentication combined with limited impact on confidentiality and availability.

For European organizations using WordPress sites with the Icegram Express plugin, this vulnerability can lead to unauthorized triggering of scheduled marketing emails or maintenance tasks. This may result in spam-like email floods, damaging the organization's reputation and potentially causing blacklisting by email providers. Additionally, repeated execution of resource-intensive tasks could degrade website performance or increase hosting costs. While no direct data breach is implied, the integrity of marketing communications and operational stability is at risk. Organizations relying heavily on automated email marketing or notifications may experience workflow disruptions, impacting customer engagement and business operations. The vulnerability could also be leveraged as part of a broader attack chain to create distractions or resource exhaustion. Given the widespread use of WordPress and WooCommerce in Europe, especially among SMEs and e-commerce businesses, the impact could be significant if exploited at scale.

European organizations should immediately verify if their WordPress installations use the Icegram Express plugin, particularly versions up to 5.9.10. Since no official patch links are provided, administrators should monitor vendor announcements for updates and apply patches as soon as they become available. In the interim, restrict access to the plugin's scheduled task endpoints by implementing web application firewall (WAF) rules that block unauthenticated requests targeting the run_action_scheduler_task function or related URLs. Employ rate limiting to prevent brute-force guessing of action IDs. Review and harden WordPress user roles and permissions to minimize exposure. Consider disabling or limiting the plugin's scheduling features if not critical. Regularly audit scheduled tasks and logs for unusual activity indicative of exploitation attempts. Additionally, ensure that email sending limits and spam protections are in place to mitigate potential abuse. Finally, maintain up-to-date backups and incident response plans to quickly recover from any disruptions caused by exploitation.