WordPress Plugin Vulnerabilities

MailChimp Forms by MailMunch < 3.2.2 - Cross-Site Request Forgery

Description

The MailChimp Forms by MailMunch plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 3.2.1. This is due to missing or incorrect nonce validation on the integrate case. This makes it possible for unauthenticated attackers to update the plugin's access token via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
mailchimp-forms-by-mailmunch
Fixed in 3.2.2

References

CVE
CVE-2024-31378
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/7e069678-0c0a-4e4a-b0ee-404f488f9d01

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Majed Refaea
Verified
No
WPVDB ID
2c990589-c859-49f0-9f5a-a82b7fa7496d

Timeline

Publicly Published
2024-04-10 (about 2 years ago)
Added
2024-04-16 (about 2 years ago)
Last Updated
2024-04-16 (about 2 years ago)

Other

Published
Title
Published
2021-10-28
Title
URL Shortify < 1.5.1 - Arbitrary Link/Group Deletion via CSRF
Published
2022-04-28
Title
Footer Text <= 2.0.3 - Stored Cross-Site Scripting via CSRF
Published
2023-12-27
Title
Duplicator < 1.5.7.1 - Settings Removal via CSRF
Published
2024-04-07
Title
Slideshow Gallery < 1.7.9 - Settings Reset via CSRF
Published
2025-06-27
Title
Import external attachments <= 1.5.12 - Cross-Site Request Forgery