The Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to overwrite plugin mail settings (from name and from email address), create audience lists, insert arbitrary contacts into those lists, create and overwrite newsletter broadcasts and post notifications, add workflows, and queue and dispatch mass email to arbitrary recipients.
References
Link Providers
https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.21/lite/admin/class-email-subscribers-admin.php#L216 cve-icon
https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.21/lite/admin/class-ig-es-onboarding.php#L171 cve-icon
https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.21/lite/includes/class-email-subscribers-activator.php#L66 cve-icon
https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.21/lite/includes/classes/class-es-newsletters.php#L717 cve-icon
https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.21/lite/includes/workflows/admin/class-es-workflow-admin-edit.php#L74 cve-icon
https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.24/lite/admin/class-email-subscribers-admin.php#L216 cve-icon
https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.24/lite/admin/class-ig-es-onboarding.php#L171 cve-icon
https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.24/lite/includes/class-email-subscribers-activator.php#L66 cve-icon
https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.24/lite/includes/classes/class-es-newsletters.php#L717 cve-icon
https://plugins.trac.wordpress.org/browser/email-subscribers/tags/5.9.24/lite/includes/workflows/admin/class-es-workflow-admin-edit.php#L74 cve-icon
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3584584%40email-subscribers&new=3584584%40email-subscribers&sfp_email=&sfph_mail= cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/a2e70691-4de9-4b12-babf-bebe267a780b?source=cve cve-icon
History

Thu, 02 Jul 2026 07:45:00 +0000

Type Values Removed Values Added
First Time appeared Icegram
Icegram email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin For Wordpress
Wordpress
Wordpress wordpress
Vendors & Products Icegram
Icegram email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin For Wordpress
Wordpress
Wordpress wordpress

Thu, 02 Jul 2026 06:15:00 +0000

Type Values Removed Values Added
Description The Email Subscribers & Newsletters – Email Marketing, Post Notifications & Newsletter Plugin for WordPress plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.9.27. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor-level access and above, to overwrite plugin mail settings (from name and from email address), create audience lists, insert arbitrary contacts into those lists, create and overwrite newsletter broadcasts and post notifications, add workflows, and queue and dispatch mass email to arbitrary recipients.
Title Email Subscribers & Newsletters <= 5.9.27 - Missing Authorization to Authenticated (Contributor+) Settings Modification via ig_es_handle_request AJAX Action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-02T05:35:13.163Z

Reserved: 2026-06-08T13:53:29.969Z

Link: CVE-2026-11592

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T07:30:16Z