Stored Cross-Site Scripting Vulnerability in MC4WP Affects Multi-Site Installations
CVE-2024-8680

5.5MEDIUM

Key Information:

Vendor
Wordpress
Status
Mc4WP: Mailchimp For WordPress
Vendor
CVE Published:
21 September 2024

Summary

The Mailchimp for WordPress plugin for WordPress exhibits a vulnerability that permits stored cross-site scripting through its admin settings. This issue arises from inadequate input validation and output escaping practices. Authenticated users with administrator-level permissions can exploit this vulnerability to insert arbitrary web scripts that are executed whenever a user accesses the compromised page. It is particularly relevant in multi-site environments and instances where the unfiltered_html capability has been disabled, thereby increasing the risk of malicious script execution on affected installations.

Affected Version(s)

MC4WP: Mailchimp for WordPress * <= 4.9.16

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...
https://github.com/ibericode/mailchimp-for-wordpress/blob...
https://plugins.trac.wordpress.org/browser/mailchimp-for-...

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Jorge Diaz
.