The plugin does not validate and escape some of its shortcode attributes before outputting them back in a page/post where the shortcode is embed, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks
As a contributor, put the below shortcodes in a post, preview it and move the mouse over the generated subscribe form to trigger the XSS [yikes-mailchimp-unsubscribe list=‘"onmouseover=alert(/XSS-list/)//’] [yikes-mailchimp-unsubscribe list=‘-1’ email_placeholder=‘"onmouseover=alert(/XSS-email_placeholder/)//’]
CPE | Name | Operator | Version |
---|---|---|---|
yikes-inc-easy-mailchimp-extender | lt | 6.8.7 |