CVE-2025-68038 HIGH

CVE-2025-68038: WordPress Icegram Express Pro plugin < 5.9.14 - PHP Object Injection vulnerability

Vendor Icegram

Product Icegram Express Pro

Weakness CWE-502 · Unsafe deserialization

Published December 24, 2025

Last update April 28, 2026

View on NVD All CVEs

CVSS base score

7.2/10

Attack vector Network

Attack complexity Low

Privileges required High

User interaction None

Confidentiality High

Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Deserialization of Untrusted Data vulnerability in Icegram Icegram Express Pro email-subscribers-premium allows Object Injection.This issue affects Icegram Express Pro: from n/a through < 5.9.14.

Explanation of Vulnerability in Simple Terms

02Summary

Icegram Express Pro versions up to 5.9.14 contain a deserialization vulnerability that allows authenticated administrators to execute arbitrary PHP code on the site. An attacker with admin privileges can craft malicious serialized data that, when processed by the plugin, runs their own code with full site access. This requires administrative account compromise or insider access.

What an attacker can do

03Attacker Capabilities

Run arbitrary PHP code on the site with full administrative privileges.

Potential impact on your site

04Site Impact

A compromised admin account can be used to take complete control of your site, steal data, or inject malware.

Conditions required to exploit

05Prerequisites

Attacker must have administrator-level access to the WordPress site.

Key dates

06Disclosure timeline

December 24, 2025 CVE published

April 28, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-68038 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/502.html

Related vulnerabilities