Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Vulnerability in Easy Forms for MailChimp 6.1.2 and older

This entry was posted in Vulnerabilities, WordPress Security on July 28, 2016 by Dan Moen   1 Reply

Panagiotis Vagenas, a Wordfence Security Researcher, has discovered a reflected cross site scripting vulnerability in the Easy Forms for MailChimp plugin for WordPress. There are over 40,000 active installations according to wordpress.org. We shared the details of the vulnerability with the author on Monday and they released version 6.1.3 on Tuesday, which includes a fix for the vulnerability.

An attack leveraging this reflected cross site scripting vulnerability would require an admin to click on a link which might be accomplished via some kind of social engineering attack. Accomplishing that could enable an attacker to perform a number of administrative functions, including adding a user with admin privileges, effectively giving them full control of the website. It is important to note that many modern browsers, such as Chrome and Safari, protect against these types of scripts running on the client side, which diminishes the odds that this vulnerability will be exploited in the wild.

CVSS Severity: 8.8 (High)

What to do
Both Premium and free Wordfence users with the firewall enabled are already protected. Anyone not running Wordfence should upgrade to version 6.1.3 immediately.

Did you enjoy this post? Share it!

1 Comment on "Vulnerability in Easy Forms for MailChimp 6.1.2 and older"

Makeda August 16, 2016 at 2:23 pm

If the version of this plugin has been updated and installed, is it still suggested that we delete it?

Follow Us

      


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 100 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates