CVE-2024-8850

The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email' parameter when a placeholder such as {email} is used for the field in versions 4.9.9 to 4.9.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Configurations

Configuration 1 (hide)

cpe:2.3:a:ibericode:mailchimp:*:*:*:*:*:wordpress:*:*

History

25 Sep 2024, 18:49

Type Values Removed Values Added
First Time Ibericode
Ibericode mailchimp
CPE cpe:2.3:a:ibericode:mailchimp:*:*:*:*:*:wordpress:*:*
References () https://plugins.trac.wordpress.org/browser/mailchimp-for-wp/tags/4.9.16/config/default-form-content.php#L8 - () https://plugins.trac.wordpress.org/browser/mailchimp-for-wp/tags/4.9.16/config/default-form-content.php#L8 - Product
References () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3153075%40mailchimp-for-wp&new=3153075%40mailchimp-for-wp&sfp_email=&sfph_mail= - () https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3153075%40mailchimp-for-wp&new=3153075%40mailchimp-for-wp&sfp_email=&sfph_mail= - Patch
References () https://www.wordfence.com/threat-intel/vulnerabilities/id/1d2ba8ea-a75f-4069-b67d-f832acb1deef?source=cve - () https://www.wordfence.com/threat-intel/vulnerabilities/id/1d2ba8ea-a75f-4069-b67d-f832acb1deef?source=cve - Third Party Advisory

25 Sep 2024, 18:15

Type Values Removed Values Added
Summary (en) The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email' parameter when a placeholder such as {email} is used for the field in versions 4.9.9 to 4.9.15 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. (en) The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email' parameter when a placeholder such as {email} is used for the field in versions 4.9.9 to 4.9.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

20 Sep 2024, 12:30

Type Values Removed Values Added
Summary
  • (es) El complemento MC4WP: Mailchimp para WordPress es vulnerable a ataques de Cross-Site Scripting reflejado a través del parámetro 'email' cuando se utiliza un marcador de posición como {email} para el campo en las versiones 4.9.9 a 4.9.15 debido a una desinfección de entrada y un escape de salida insuficientes. Esto permite que atacantes no autenticados inyecten secuencias de comandos web arbitrarias en páginas que se ejecutan si logran engañar a un usuario para que realice una acción como hacer clic en un enlace.

19 Sep 2024, 04:15

Type Values Removed Values Added
New CVE

Information

Published : 2024-09-19 04:15

Updated : 2024-09-25 18:49


NVD link : CVE-2024-8850

Mitre link : CVE-2024-8850

CVE.ORG link : CVE-2024-8850


JSON object : View

Products Affected

ibericode

  • mailchimp
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')