Reflected XSS in MailChimp for WordPress could allow an attacker to do almost anything an admin user can

Vulnerability

Last revised: December 7, 2016

If an attacker can trick a logged-in admin user into visiting a particular URL, they can execute JavaScript in the user’s browser which can perform almost any action that the user can.

Current state: Fixed

CVSS Summary

CVSS base scores for this vulnerability
Score	5.8 Medium
Vector	Network
Complexity	Medium
Authentication	None
Confidentiality	Partial
Integrity	Partial
Availability	None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.

Proof of concept

Assuming you have the site running on http://localhost/ with the plugin activated, visit this URL in a browser without reflected XSS mitigation measures (i.e. Firefox):

http://localhost/wp-admin/admin.php?page=mailchimp-for-wp-integrations&integration=%3Cscript%3Ealert%281%29%3C%2Fscript%3E

Advisory timeline

2016-03-23: Discovered
2016-12-07: Reported to support@ibericode.com
2016-12-07: Requested CVE
2016-12-07: Vendor first replied
2016-12-09: Vendor reported fixed in 4.0.11
2016-12-13: Advisory published
2017-09-29: Requested CVE

Mitigation/further actions

Update to version 4.0.11 or later.

dxw advisories

Advisory: