Vulnerability in Easy Forms for MailChimp 6.1.2 and older
Panagiotis Vagenas, a Wordfence Security Researcher, has discovered a reflected cross site scripting vulnerability in the Easy Forms for MailChimp plugin for WordPress. There are over 40,000 active installations according to wordpress.org. We shared the details of the vulnerability with the author on Monday and they released version 6.1.3 on Tuesday, which includes a fix for the vulnerability.
An attack leveraging this reflected cross site scripting vulnerability would require an admin to click on a link which might be accomplished via some kind of social engineering attack. Accomplishing that could enable an attacker to perform a number of administrative functions, including adding a user with admin privileges, effectively giving them full control of the website. It is important to note that many modern browsers, such as Chrome and Safari, protect against these types of scripts running on the client side, which diminishes the odds that this vulnerability will be exploited in the wild.
CVSS Severity: 8.8 (High)
What to do
Both Premium and free Wordfence users with the firewall enabled are already protected. Anyone not running Wordfence should upgrade to version 6.1.3 immediately.