MC4WP: Mailchimp for WordPress < 4.8.5 – Authenticated Arbitrary Redirect

Description

The plugin did not properly check for CSRF in some of its actions handled by the listen_for_actions method (hooked as admin_init), allowing attackers to make logged in users with the manage_options capability do unwanted actions and redirect them to an arbitrary website after

Proof of Concept

https://example.com/wp-admin/admin.php?_mc4wp_action=empty_debug_log&_redirect_to=https://wpscan.com

Affects Plugins

mailchimp-for-wp

Fixed in 4.8.5

Classification

Type

REDIRECT

OWASP top 10

A1: Injection

CWE

CWE-601

CVSS

4.3 (medium)

Miscellaneous

Original Researcher

WPScanTeam

Verified

Yes

WPVDB ID

9bd6daba-6b58-4b69-b137-f064701f636c

Timeline

Publicly Published

2021-06-01 (about 4 years ago)

Added

2021-06-01 (about 4 years ago)

Last Updated

2021-06-01 (about 4 years ago)

Other

Published

Title

Published

2014-05-07

Title

Prostore < 1.1.3 - Open Redirection

Published

2025-05-07

Title

WP Gravity Forms Zendesk < 1.1.3 - Open Redirect

Published

2024-04-05

Title

OAuth Server < 4.4.0 - Open Redirect

Published

2025-01-24

Title

LearnPress < 4.2.7.2 - Authenticated (Subscriber+) Open Redirect

Published

2025-08-14

Title

elink <= 1.1.0 - Contributor+ Arbitrary Redirect