MC4WP: Mailchimp for WordPress 4.9.9 – 4.9.16 – Reflected Cross-Site Scripting

  • Resolved ffwpuihq

    (@ffwpuihq)


    1 month, 4 weeks ago

    I see below warning in my site:

    “The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ’email’ parameter when a placeholder such as {email} is used for the field in versions 4.9.9 to 4.9.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.”

    Is it possible to look into this?
    Thank you very much.

    • This topic was modified 1 month, 4 weeks ago by ffwpuihq.
Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Contributor Harish Chouhan

    (@hchouhan)

    Hey @ffwpuihq,

    Please update our plugin to the latest version. This has been fixed in version 4.9.17

    Thread Starter ffwpuihq

    (@ffwpuihq)

    Thank you very much for replying. I understand that you have fixed and updated the plugin, but Jetpack’s Protect Scanner still displays a threat message stating “MC4WP 4.9.9 – 4.9.16 reflected Cross-site Scripting,” even though it recognizes that we are using version 4.9.17.

    What does this mean? Could it indicate that this threat has already affected my WordPress or my site? What should I do?

    I wanted to add a screenshot for you to see the message directly, but there is no option to do this.

    • This reply was modified 1 month, 2 weeks ago by ffwpuihq.
    • This reply was modified 1 month, 2 weeks ago by ffwpuihq.
    • This reply was modified 1 month, 2 weeks ago by ffwpuihq.
    • This reply was modified 1 month, 2 weeks ago by ffwpuihq.
    • This reply was modified 1 month, 2 weeks ago by ffwpuihq.
    Plugin Contributor Harish Chouhan

    (@hchouhan)

    Hey @ffwpuihq,
    This would be a false warning now since you are on the latest version. You can safely ignore it.

Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.