Reflected XSS in MailChimp for WordPress could allow an attacker to do almost anything an admin user can


Last revised:

If an attacker can trick a logged-in admin user into visiting a particular URL, they can execute JavaScript in the user’s browser which can perform almost any action that the user can.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score 5.8 Medium
Vector Network
Complexity Medium
Authentication None
Confidentiality Partial
Integrity Partial
Availability None
You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Assuming you have the site running on http://localhost/ with the plugin activated, visit this URL in a browser without reflected XSS mitigation measures (i.e. Firefox):


Advisory timeline

  • 2016-03-23: Discovered
  • 2016-12-07: Reported to
  • 2016-12-07: Requested CVE
  • 2016-12-07: Vendor first replied
  • 2016-12-09: Vendor reported fixed in 4.0.11
  • 2016-12-13: Advisory published
  • 2017-09-29: Requested CVE

Mitigation/further actions

Update to version 4.0.11 or later.