Mailchimp Top Bar Plugin Vulnerable to Reflected Cross-Site Scripting
CVE-2024-9210

6.1MEDIUM

Key Information:

Vendor: Dvankooten
Status: Mc4WP: Mailchimp Top Bar
Vendor: CVE Published:; 2 October 2024

Summary

The MC4WP: Mailchimp Top Bar plugin for WordPress is susceptible to reflected cross-site scripting (XSS) vulnerabilities due to improper handling of URLs through the add_query_arg function without adequate escaping. This flaw allows unauthenticated attackers the potential to inject arbitrary JavaScript into web pages viewed by users. When a user is tricked into clicking a malicious link, the injected scripts can be executed in their browser. This poses significant risks, including session hijacking and redirecting users to malicious sites. It’s crucial for users to assess their current version and consider immediate updates or implement security measures to protect against exploitation.

Affected Version(s)

MC4WP: Mailchimp Top Bar * <= 1.6.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/mailchimp-top-...

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Oct 2, 2024
Vulnerability Reserved
Sep 26, 2024

Credit

Dale Mavers