Attack Vectors

Icegram Express Pro (WordPress plugin slug: email-subscribers-premium) versions <= 5.9.13 are affected by CVE-2025-68038, rated Medium severity (CVSS 6.6, vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

The practical attack path requires an attacker to already have authenticated Administrator (or higher) access in WordPress. In real-world terms, that typically means:

• a compromised admin account (password reuse, phishing, MFA gaps),
• an internal user with elevated permissions misusing access, or
• a breached third-party/vendor account with admin-level privileges.

Security Weakness

The underlying issue is a PHP Object Injection risk caused by deserialization of untrusted input in Icegram Express Pro up to version 5.9.13.

Importantly, the vulnerable plugin is reported to have no known POP (Property-Oriented Programming) chain on its own. However, if a usable POP chain exists through another plugin or theme installed on the same site, this weakness can become significantly more dangerous.

Remediation: update Icegram Express Pro to version 5.9.14 or a newer patched version. Reference: Wordfence vulnerability advisory.

Technical or Business Impacts

Because this issue can be chained with other components (plugins/themes) on the site, the potential impact can extend beyond the plugin itself. If a POP chain is available in the environment, an attacker may be able to:

• delete arbitrary files (site outage, broken pages/checkout, lost content),
• retrieve sensitive data (customer data, marketing lists, internal emails, configuration secrets), or
• execute code (full site takeover, persistent backdoors, fraudulent redirects).

For business leaders, the risk is not only technical. A compromise at the admin level can lead to brand damage (defaced pages, malicious popups), revenue loss (downtime, interrupted campaigns), and compliance exposure (unauthorized access to personal data and marketing databases). Even though the severity is “Medium,” the potential impact is high if the site runs many plugins/themes and has weak admin security practices.

Similar Attacks

PHP object injection vulnerabilities have affected WordPress ecosystems before, particularly when deserialization is combined with “gadget chains” available elsewhere in the stack. A well-known example is:

• CVE-2019-8942 (WordPress) – a PHP object injection issue that highlighted how unserialization weaknesses can be leveraged when supporting conditions exist.

For the current issue, track the official record here: CVE-2025-68038.