MC4WP: Mailchimp for WordPress 4.9.9 – 4.9.16 – Reflected Cross-Site Scripting

  • Resolved ma3ry

    (@ma3ry)


    2 months ago

    cPanel has sent me a warning that site vulnerabilities are found.

    MC4WP: Mailchimp for WordPress 4.9.9 – 4.9.16 – Reflected Cross-Site Scripting

    The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ’email’ parameter when a placeholder such as {email} is used for the field in versions 4.9.9 to 4.9.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

    Source:?Wordfence

    I am using v4.4.17 but another site suggests updating to 4.10. Is 4.10 available or did 4.4.17 fix the issue?

    The page I need help with: [log in to see the link]

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Contributor Lap

    (@lapzor)

    Please note that these vulnerabilities can only be exploited by someone who already has full admin rights in your WordPress admin and in the second case admin rights in your WordPress as well as Mailchimp. Nonetheless, the “vulnerability” is fixed in the latest update of the plugin ( version 4.9.17).

    Kind regards,

    Thread Starter ma3ry

    (@ma3ry)

    Many thanks!

Viewing 2 replies - 1 through 2 (of 2 total)
  • You must be logged in to reply to this topic.