The vulnerability identified as CVE-2025-12349 affects the Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress and WooCommerce, specifically versions up to and including 5.9.10. The root cause is a missing authentication check in the function trigger_mailing_queue_sending, which is responsible for initiating the sending of queued emails. Because the plugin does not verify whether the requester is authorized to invoke this function, unauthenticated attackers can force the plugin to send emails immediately, bypassing any scheduled timing controls. This can lead to increased server load due to unexpected email bursts and manipulation of plugin state variables such as last-cron-hit, which may affect the plugin's internal scheduling and monitoring mechanisms. The vulnerability is classified under CWE-306 (Missing Authentication for Critical Function), highlighting the lack of proper access control. The CVSS v3.1 base score is 5.3 (medium), reflecting that the attack vector is network-based, requires no privileges or user interaction, and impacts integrity by allowing unauthorized triggering of email sends. There is no direct impact on confidentiality or availability, but the integrity and reliability of the email marketing process can be compromised. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly.

The primary impact of this vulnerability is on the integrity and operational stability of organizations using the Icegram Express plugin for email marketing and newsletters. Attackers can abuse the missing authentication to trigger immediate email sends, potentially flooding recipients with unscheduled emails, which could damage brand reputation and customer trust. The increased server load from forced email bursts can degrade website performance or cause denial-of-service-like conditions, affecting availability indirectly. Additionally, manipulation of plugin state variables may disrupt normal scheduling and automation workflows, leading to operational inefficiencies. While no direct data confidentiality breach is indicated, the abuse of email sending functions could be leveraged in broader phishing or spam campaigns, indirectly increasing risk. Organizations relying heavily on WordPress and WooCommerce for marketing automation are at risk of service disruption and reputational harm if this vulnerability is exploited.

To mitigate this vulnerability, organizations should immediately update the Icegram Express plugin to a version that includes proper authentication checks for the trigger_mailing_queue_sending function once available. Until a patch is released, administrators can implement the following specific measures: 1) Restrict access to the plugin's endpoints or functions via web application firewall (WAF) rules to block unauthenticated requests targeting the mailing queue trigger; 2) Limit access to the WordPress REST API or AJAX handlers used by the plugin to authenticated and authorized users only; 3) Monitor server logs for unusual spikes in email sending or requests to the affected function; 4) Employ rate limiting on email sending functions to prevent abuse; 5) Disable or temporarily deactivate the plugin if immediate patching is not feasible and email marketing is not critical; 6) Review and harden WordPress user roles and permissions to minimize exposure. Regular backups and monitoring of plugin updates from the vendor are essential to ensure timely remediation.