WP-Safety

Icegram Engage – Popups, Optins, CTAs & Lead Generation Security & Risk Analysis

wordpress.org/plugins/icegram

Create high-converting popups, email optins, and CTAs in minutes. Capture leads, grow your email list, and convert visitors into customers—without cod …

10K active installs v3.1.42 PHP + WP 3.9+ Updated Apr 14, 2026
lead-generationopt-in-emailpopup-builderwordpress-popupwordpress-popup-plugin
92
A · Safe
CVEs total18
Unpatched0
Last CVEJan 5, 2026
Plugin page Download
Safety Verdict

Is Icegram Engage – Popups, Optins, CTAs & Lead Generation Safe to Use in 2026?

Generally Safe

Score 92/100

Icegram Engage – Popups, Optins, CTAs & Lead Generation has a strong security track record. Known vulnerabilities have been patched promptly. It's a solid choice for most WordPress installations.

18 known CVEsLast CVE: Jan 5, 2026Updated 1mo ago
Risk Assessment

The "icegram" plugin exhibits a mixed security posture. On the positive side, it demonstrates good practices in SQL query handling with a high percentage of prepared statements and a robust number of nonce and capability checks. The majority of output is properly escaped, and it has no currently unpatched CVEs, which is a significant strength. However, there are several areas of concern. The presence of 14 AJAX handlers, with 3 lacking authentication checks, creates a notable attack surface for unauthorized actions. Furthermore, the use of the dangerous `unserialize` function, even if not directly linked to a critical taint flow in this analysis, always presents a risk of arbitrary code execution if attacker-controlled data is passed to it. The vulnerability history reveals a significant number of past medium and high severity issues, including missing authorization and CSRF. While the plugin has a recent security patch (implied by the 2026 date, though this seems like a future date and might be a typo), the sheer volume of past vulnerabilities suggests a history of security oversights. The taint analysis shows no critical or high severity flows, which is reassuring, but the two flows with unsanitized paths warrant attention, as they could lead to vulnerabilities if exploited under certain conditions. The presence of bundled libraries like Select2 also introduces a dependency risk if those libraries are outdated or have known vulnerabilities.

In conclusion, while "icegram" v3.1.39 has made strides in secure coding practices, particularly with prepared statements and output escaping, its past vulnerability record and the identified weaknesses in its attack surface (unauthenticated AJAX handlers, `unserialize` function) prevent it from being considered highly secure. The plugin requires ongoing vigilance and a commitment to addressing identified vulnerabilities promptly. Users should be aware of the potential risks associated with unauthenticated entry points and the inherent dangers of deserialization functions.

Key Concerns

  • Unprotected AJAX handlers
  • Dangerous unserialize function
  • Flows with unsanitized paths
  • Past high severity vulnerabilities
  • Past medium severity vulnerabilities
  • Bundled libraries (potential risk)
Vulnerabilities
18 published

Icegram Engage – Popups, Optins, CTAs & Lead Generation Security Vulnerabilities

CVEs by Year

2 CVEs in 2016
2016
1 CVE in 2019
2019
2 CVEs in 2021
2021
1 CVE in 2022
2022
3 CVEs in 2023
2023
5 CVEs in 2024
2024
3 CVEs in 2025
2025
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
17

18 total CVEs

CVE-2025-68507medium · 5.3Missing Authorization

Icegram <= 3.1.35 - Missing Authorization

Jan 5, 2026 Patched in 3.1.36 (10d)
CVE-2024-13482medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Icegram Engage <= 3.1.31 - Authenticated (Administrator+) Stored Cross-Site Scripting

Mar 3, 2025 Patched in 3.1.32 (65d)
CVE-2024-13486medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Icegram Engage <= 3.1.31 - Authenticated (Administrator+) Stored Cross-Site Scripting

Mar 3, 2025 Patched in 3.1.32 (51d)
CVE-2025-24542medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Icegram <= 3.1.31 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 24, 2025 Patched in 3.1.32 (5d)
CVE-2024-12302medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Icegram Engage <= 3.1.31 - Authenticated (Author+) Stored Cross-Site Scripting

Dec 16, 2024 Patched in 3.1.32 (33d)
CVE-2024-43344medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Icegram <= 3.1.25 - Authenticated (Contributor+) Stored Cross-Site Scripting

Aug 16, 2024 Patched in 3.1.26 (7d)
CVE-2024-43272medium · 5.3Missing Authorization

Icegram <= 3.1.24 - Missing Authorization

Aug 12, 2024 Patched in 3.1.25 (11d)
CVE-2024-39625medium · 5.3Missing Authorization

Icegram <= 3.1.24 - Missing Authorization to Unauthenticated Message Duplication

Jul 22, 2024 Patched in 3.1.25 (11d)
CVE-2024-21748medium · 4.3Missing Authorization

Icegram <= 3.1.21 - Missing Authorization

Jan 5, 2024 Patched in 3.1.22 (186d)
CVE-2023-52119medium · 4.3Cross-Site Request Forgery (CSRF)

Icegram <= 3.1.18 - Cross-Site Request Forgery via save_campaign_preview

Dec 28, 2023 Patched in 3.1.19 (26d)
CVE-2023-51532medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Icegram <= 3.1.19 - Authenticated (Contributor+) Stored Cross-Site Scripting via Campaign Message

Dec 27, 2023 Patched in 3.1.20 (27d)
CVE-2023-2398medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Icegram Engage <= 3.1.11 - Reflected Cross-Site Scripting

May 22, 2023 Patched in 3.1.12 (246d)
CVE-2022-1776medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Icegram Engage <= 2.1.7 - Cross-Site Scripting

May 30, 2022 Patched in 2.1.8 (603d)
CVE-2021-24941medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Icegram <= 2.0.4 - Reflected Cross-Site Scripting via message_id

Nov 22, 2021 Patched in 2.0.5 (792d)
CVE-2021-36832medium · 4.8Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Icegram <= 2.0.2 - Authenticated Stored Cross-Site Scripting

Aug 17, 2021 Patched in 2.0.3 (889d)
CVE-2019-15830medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Icegram <= 1.10.28.2 - Cross-Site Scripting

Jul 9, 2019 Patched in 1.10.29 (1659d)
CVE-2016-10962high · 8.8Cross-Site Request Forgery (CSRF)

Icegram <= 1.9.18 - Cross-Site Request Forgery

Jul 19, 2016 Patched in 1.9.19 (2744d)
CVE-2016-10963medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Icegram <= 1.9.18 - Cross-Site Scripting

Jul 19, 2016 Patched in 1.9.19 (2744d)
Version History

Icegram Engage – Popups, Optins, CTAs & Lead Generation Release Timeline

v3.1.42Current
v3.1.41
v3.1.40
v3.1.39
v3.1.38
v3.1.37
v3.1.36
v3.1.351 CVE
CVE-2025-68507
v3.1.341 CVE
CVE-2025-68507
v3.1.331 CVE
CVE-2025-68507
v3.1.321 CVE
CVE-2025-68507
v3.1.315 CVEs
CVE-2025-24542 CVE-2024-13482 CVE-2024-12302 +2 more
v3.1.305 CVEs
CVE-2025-24542 CVE-2024-13482 CVE-2024-12302 +2 more
v3.1.295 CVEs
CVE-2025-24542 CVE-2024-13482 CVE-2024-12302 +2 more
v3.1.285 CVEs
CVE-2025-24542 CVE-2024-13482 CVE-2024-12302 +2 more
v3.1.275 CVEs
CVE-2025-24542 CVE-2024-13482 CVE-2024-12302 +2 more
v3.1.265 CVEs
CVE-2025-24542 CVE-2024-13482 CVE-2024-12302 +2 more
v3.1.256 CVEs
CVE-2025-24542 CVE-2024-43344 CVE-2024-13482 +3 more
v3.1.248 CVEs
CVE-2025-24542 CVE-2024-43344 CVE-2024-13482 +5 more
v3.1.238 CVEs
CVE-2025-24542 CVE-2024-43344 CVE-2024-13482 +5 more
Code Analysis
Analyzed Mar 16, 2026

Icegram Engage – Popups, Optins, CTAs & Lead Generation Code Analysis

Dangerous Functions
3
Raw SQL Queries
1
10 prepared
Unescaped Output
177
1070 escaped
Nonce Checks
21
Capability Checks
19
File Operations
5
External Requests
6
Bundled Libraries
2

Dangerous Functions Found

unserialize$messages = unserialize( $value[0] );lite\class-icegram.php:2655
unserializereturn unserialize( file_get_contents( $this->_file( $key )));lite\classes\class-icegram-cache.php:43
unserialize$icegram_message_data = unserialize( $icegram_result->meta_value );lite\updates\icegram-update-1.2.php:18

Bundled Libraries

Select2jQuery

SQL Query Safety

91% prepared11 total queries

Output Escaping

86% escaped1247 total outputs
Data Flows · Security
2 unsanitized

Data Flow Analysis

12 flows2 with unsanitized paths
icegram_event_track (lite\class-icegram.php:674)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
3 unprotected

Icegram Engage – Popups, Optins, CTAs & Lead Generation Attack Surface

Entry Points16
Unprotected3

AJAX Handlers 14

authwp_ajax_ig_dismiss_mailer_promotion_noticelite\class-icegram.php:63
authwp_ajax_ig_mailer_notice_clickablelite\class-icegram.php:64
authwp_ajax_ig_toggle_campaign_statuslite\class-icegram.php:71
authwp_ajax_ig_display_messageslite\class-icegram.php:113
noprivwp_ajax_ig_display_messageslite\class-icegram.php:114
authwp_ajax_icegram_event_tracklite\class-icegram.php:116
noprivwp_ajax_icegram_event_tracklite\class-icegram.php:117
authwp_ajax_es_list_subscribelite\class-icegram.php:118
authwp_ajax_icegram_run_housekeepinglite\class-icegram.php:119
authwp_ajax_ig_save_gallery_datalite\class-icegram.php:120
authwp_ajax_icegram_json_search_messageslite\classes\class-icegram-campaign-admin.php:22
authwp_ajax_ig_get_message_action_rowlite\classes\class-icegram-campaign-admin.php:23
authwp_ajax_save_campaign_previewlite\classes\class-icegram-campaign-admin.php:25
authwp_ajax_get_message_settinglite\classes\class-icegram-message-admin.php:18

Shortcodes 2

[icegram] lite\class-icegram.php:85
[ig_form] lite\class-icegram.php:86
WordPress Hooks 115
actionadmin_headicegram.php:106
actioniniticegram.php:229
actionplugins_loadedicegram.php:236
filtericegram-engage_is_page_for_notificationsicegram.php:246
actionadmin_footerlite\about-icegram.php:9
actionadmin_enqueue_scriptslite\class-icegram.php:47
actionadmin_print_styleslite\class-icegram.php:48
filterpost_row_actionslite\class-icegram.php:49
actionadmin_menulite\class-icegram.php:51
actionadmin_initlite\class-icegram.php:52
actionadmin_initlite\class-icegram.php:53
actionadmin_initlite\class-icegram.php:55
actionicegram_settings_afterlite\class-icegram.php:57
actionicegram_about_changeloglite\class-icegram.php:58
actionicegram_settings_afterlite\class-icegram.php:59
actionadmin_noticeslite\class-icegram.php:60
actionadmin_noticeslite\class-icegram.php:62
filterplugin_row_metalite\class-icegram.php:67
filtermanage_edit-ig_campaign_columnslite\class-icegram.php:68
actionmanage_ig_campaign_posts_custom_columnlite\class-icegram.php:69
actionadmin_bar_menulite\class-icegram.php:72
actionadmin_headlite\class-icegram.php:73
filtericegram_escape_allowed_tagslite\class-icegram.php:75
filtericegram_validate_custom_scriptlite\class-icegram.php:77
actionwp_footerlite\class-icegram.php:80
actionwp_footerlite\class-icegram.php:83
filtericegram_identify_current_pagelite\class-icegram.php:88
filtericegram_branding_datalite\class-icegram.php:90
actionwp_enqueue_scriptslite\class-icegram.php:91
filtericegram_get_valid_campaigns_sqllite\class-icegram.php:92
actionicegram_print_js_css_datalite\class-icegram.php:93
actioninitlite\class-icegram.php:95
actioninitlite\class-icegram.php:96
actionadmin_initlite\class-icegram.php:98
actionadmin_menulite\class-icegram.php:99
actionicegram_loadedlite\class-icegram.php:101
filterwidget_textlite\class-icegram.php:104
filterrainmaker_validate_requestlite\class-icegram.php:106
filtericegram_datalite\class-icegram.php:107
filtermce_buttonslite\class-icegram.php:109
filterdisplay_post_stateslite\class-icegram.php:2818
filterpost_date_column_statuslite\class-icegram.php:2819
actionedit_form_advancedlite\classes\class-icegram-campaign-admin.php:14
actionedit_form_advancedlite\classes\class-icegram-campaign-admin.php:15
actionedit_form_advancedlite\classes\class-icegram-campaign-admin.php:18
actionadmin_initlite\classes\class-icegram-campaign-admin.php:19
actionsave_postlite\classes\class-icegram-campaign-admin.php:21
actionicegram_campaign_target_ruleslite\classes\class-icegram-campaign-admin.php:26
filtericegram_campaign_messageslite\classes\class-icegram-campaign-admin.php:27
filterpost_row_actionslite\classes\class-icegram-campaign-admin.php:29
actionadmin_initlite\classes\class-icegram-campaign-admin.php:30
filtericegram_campaign_tabslite\classes\class-icegram-campaign-admin.php:33
filtericegram_display_ruleslite\classes\class-icegram-campaign-admin.php:34
filtericegram_campaign_validationlite\classes\class-icegram-campaign.php:65
filtericegram_campaign_validationlite\classes\class-icegram-campaign.php:66
filtericegram_campaign_validationlite\classes\class-icegram-campaign.php:67
filtericegram_campaign_validationlite\classes\class-icegram-campaign.php:68
actionwp_footerlite\classes\class-icegram-compat.php:13
actionicegram_data_printedlite\classes\class-icegram-compat.php:15
actionadd_meta_boxeslite\classes\class-icegram-message-admin.php:17
actionsave_postlite\classes\class-icegram-message-admin.php:20
filterwp_insert_post_datalite\classes\class-icegram-message-admin.php:21
filtermanage_edit-ig_message_columnslite\classes\class-icegram-message-admin.php:23
actionmanage_ig_message_posts_custom_columnlite\classes\class-icegram-message-admin.php:24
filtericegram_available_headlineslite\classes\class-icegram-message-admin.php:25
filterpost_row_actionslite\classes\class-icegram-message-admin.php:28
actionadmin_initlite\classes\class-icegram-message-admin.php:29
filtericegram_message_typeslite\classes\class-icegram-message-type.php:27
actionadmin_initlite\classes\class-icegram-trial-admin.php:16
actionadmin_initlite\classes\class-icegram-trial-admin.php:17
actionadmin_noticeslite\classes\class-icegram-trial-admin.php:18
actionicegram_save_trial_campaign_message_idslite\classes\class-icegram-trial-admin.php:20
actionicegram_handle_trial_featureslite\classes\class-icegram-trial-admin.php:21
filterwpcf7_form_action_urllite\classes\compat\class-icegram-compat-contact-form-7.php:14
filtericegram_get_form_listlite\classes\compat\class-icegram-compat-contact-form-7.php:16
filtericegram_get_form_listlite\classes\compat\class-icegram-compat-forminator.php:13
filtergform_form_taglite\classes\compat\class-icegram-compat-gravityforms.php:14
filtericegram_get_form_listlite\classes\compat\class-icegram-compat-gravityforms.php:17
filtericegram_get_form_listlite\classes\compat\class-icegram-compat-wpforms.php:13
actionadmin_enqueue_scriptslite\classes\feedback\class-ig-feedback.php:116
actionadmin_enqueue_scriptslite\classes\feedback\class-ig-feedback.php:117
actionadmin_noticeslite\classes\feedback\class-ig-feedback.php:124
actionadmin_print_footer_scriptslite\classes\feedback\class-ig-feedback.php:359
actionadmin_print_scriptslite\classes\feedback\class-ig-feedback.php:360
actionadmin_footerlite\classes\feedback\class-ig-feedback.php:361
actionicegram_loadedlite\classes\feedback\class-ig-plugin-data-tracker.php:123
actionicegram_deactivatedlite\classes\feedback\class-ig-plugin-data-tracker.php:125
actionadmin_noticeslite\classes\feedback\class-ig-plugin-data-tracker.php:138
actionadmin_initlite\classes\feedback\class-ig-plugin-data-tracker.php:139
filtercron_scheduleslite\classes\feedback\class-ig-plugin-data-tracker.php:141
filterhttps_ssl_verifylite\classes\feedback\class-ig-plugin-data-tracker.php:480
filterig_additional_feedback_meta_infolite\classes\feedback.php:31
filterig_review_message_datalite\classes\feedback.php:55
filterig_can_ask_user_for_reviewlite\classes\feedback.php:90
actionadmin_footerlite\classes\feedback.php:172
filterig_can_load_sweetalert_jslite\classes\feedback.php:193
filterig_can_load_sweetalert_csslite\classes\feedback.php:216
filterig_show_plugin_usage_tracking_noticelite\classes\feedback.php:242
actionadmin_footerlite\classes\feedback.php:278
filtericegram_message_field_linklite\classes\ig-upsale-admin.php:10
actionicegram_after_button_labellite\classes\ig-upsale-admin.php:11
actionicegram_after_campaign_where_rulelite\classes\ig-upsale-admin.php:12
actionicegram_after_campaign_when_rulelite\classes\ig-upsale-admin.php:13
actionicegram_additional_campaign_ruleslite\classes\ig-upsale-admin.php:14
actionicegram_campaign_target_ruleslite\classes\ig-upsale-admin.php:15
actionicegram_add_campaign_ctaslite\classes\ig-upsale-admin.php:16
actionadd_meta_boxeslite\classes\ig-upsale-admin.php:17
actionicegram_behavior_settingslite\classes\ig-upsale-admin.php:19
actionicegram_behavior_settingslite\classes\ig-upsale-admin.php:20
actionicegram_after_campaign_pages_where_rulelite\classes\ig-upsale-admin.php:22
filtericegram_message_type_params_action-barlite\message-types\action-bar\main.php:12
filtericegram_message_type_params_messengerlite\message-types\messenger\main.php:12
filtericegram_datalite\message-types\popup\main.php:14
filtericegram_message_type_params_popuplite\message-types\popup\main.php:15
filtericegram_message_type_params_toastlite\message-types\toast\main.php:12
Maintenance & Trust

Icegram Engage – Popups, Optins, CTAs & Lead Generation Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedApr 14, 2026
PHP min version
Downloads2.5M

Community Trust

Rating94/100
Number of ratings368
Active installs10K
Alternatives

Icegram Engage – Popups, Optins, CTAs & Lead Generation Alternatives

OptinAble – Popup Builder, Stickybars, Slide-in, WordPress Lead Generation & Email List Building

OptinAble – Popup Builder, Stickybars, Slide-in, WordPress Lead Generation & Email List Building

optinable

A
92

OptinAble The ultimate Free WP plugin for collecting email subscribers. With our easy-to-use interface, and built-in templates, you can create beautif &hellip;

10 No CVEs
Popup Builder – Create highly converting, mobile friendly marketing popups.

Popup Builder – Create highly converting, mobile friendly marketing popups.

popup-builder

B
76

Increase Sales, Lead Generation, Conversion rates and receive good Call to Action rates with smart WordPress popup plugin.

200K 23 CVEs
Brave Popup Builder – Popup, Optins, Lead Generation, Survey & Interactive Content

Brave Popup Builder – Popup, Optins, Lead Generation, Survey & Interactive Content

brave-popup-builder

A
92

The best drag-and-drop Popup Builder for WordPress. Create Popups, exit-intent popups, slide-ins, and lead generation forms & Woocommerce popups i &hellip;

20K 5 CVEs
Slick Popup: Contact Form 7 Popup Plugin

Slick Popup: Contact Form 7 Popup Plugin

slick-popup

A
99

A lightweight plugin that converts a Contact Form 7 form into a customizable pop-up form which is slick, beautiful and responsive to different screen &hellip;

2K 2 CVEs
Keap Official Opt-in Forms

Keap Official Opt-in Forms

infusionsoft-official-opt-in-forms

D
43

Build your email subscriber list from visitors to your WordPress website with Keap's Official Opt-in Forms plugin.

1K 2 unpatched
Developer Profile

Icegram Engage – Popups, Optins, CTAs & Lead Generation Developer Profile

Icegram

8 plugins · 74K total installs

73
trust score
Avg Security Score
92/100
Avg Patch Time
571 days
View full developer profile
Detection Fingerprints

How We Detect Icegram Engage – Popups, Optins, CTAs & Lead Generation

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/icegram/lite/css//wp-content/plugins/icegram/lite/js/

HTML / DOM Fingerprints

CSS Classes
icegram-dialogig_campaignig_messageicegram-frontend
HTML Comments
<!-- Icegram Engage Plugin (Lite) --><!-- Icegram Engage --><!-- Do not edit this code unless you know what you are doing -->
Data Attributes
data-icegram-campaign
JS Globals
Icegram
REST Endpoints
/wp-json/icegram/
FAQ

Frequently Asked Questions about Icegram Engage – Popups, Optins, CTAs & Lead Generation