CVE-2025-12349 identifies a missing authentication vulnerability (CWE-306) in the Icegram Express plugin for WordPress and WooCommerce, specifically in versions up to and including 5.9.10. The vulnerability arises because the plugin fails to verify whether a user is authorized before executing the trigger_mailing_queue_sending function. This function is responsible for sending emails from the mailing queue, typically scheduled to run at specific intervals. Due to the lack of authentication, an unauthenticated attacker can invoke this function directly, forcing immediate email dispatch outside the intended schedule. This can lead to increased server load, as the email sending process may be resource-intensive, and can also manipulate internal plugin state variables such as last-cron-hit, which track the timing of scheduled tasks. Although the vulnerability does not expose sensitive data or allow modification of email content, the ability to trigger unscheduled email sending can be abused to cause denial of service conditions by overwhelming server resources or disrupting normal email marketing operations. The CVSS v3.1 base score is 5.3 (medium), reflecting the network attack vector, no required privileges, and no user interaction, but limited impact on confidentiality and availability. No patches or known exploits are currently available, but the vulnerability is publicly disclosed and should be addressed promptly to prevent potential abuse.

For European organizations, the vulnerability could disrupt email marketing campaigns and newsletter distributions, which are critical for customer engagement and communication. The forced immediate sending of emails can lead to server resource exhaustion, causing degraded website performance or downtime, impacting business operations and customer trust. Organizations relying heavily on WordPress and WooCommerce for e-commerce and marketing activities are particularly at risk. Although the vulnerability does not compromise data confidentiality or integrity, the potential for denial of service-like effects could affect availability of services, leading to financial losses and reputational damage. Additionally, abuse of the plugin state could interfere with scheduled marketing automation workflows, complicating recovery and incident response. Given the widespread use of WordPress in Europe, especially among small and medium enterprises, the threat could have broad operational impacts if exploited at scale.

European organizations should immediately audit their WordPress installations to identify the presence of the Icegram Express plugin and verify the version in use. Since no official patch links are provided, organizations should monitor vendor communications for updates or patches addressing CVE-2025-12349. In the interim, restricting access to the affected function via web application firewall (WAF) rules or server-level access controls can help prevent unauthenticated invocation of trigger_mailing_queue_sending. Disabling or uninstalling the plugin temporarily may be necessary for high-risk environments. Additionally, organizations should implement monitoring for unusual spikes in email sending activity and server resource usage to detect potential exploitation attempts. Regular backups and incident response plans should be updated to include scenarios involving abuse of email marketing plugins. Finally, applying the principle of least privilege to WordPress user roles and ensuring that plugins are kept up to date will reduce exposure to similar vulnerabilities.