CVE-2019-15318
No known patch is available for this vulnerability.
The affected plugin has been removed from the WordPress.org directory (reason: Security Issue), and no patched version is being distributed through the official directory. If you have the affected software installed, you should uninstall or replace it rather than wait for an update.
Description
Easy Forms for Mailchimp WordPress plugin before 6.5.3 allows admin-level code injection via an input field, leading to potential RCE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Easy Forms for Mailchimp WordPress plugin before 6.5.3 allows admin-level code injection via an input field, leading to potential RCE.
Vulnerability
The yikes-inc-easy-mailchimp-extender plugin for WordPress, versions prior to 6.5.3, contains a code injection vulnerability in an admin input field. The plugin fails to properly sanitize or validate user-supplied input within the administrative interface, allowing an authenticated administrator to inject arbitrary PHP code. The vulnerable code path is reachable when the attacker has access to the WordPress admin dashboard and the plugin is active.
Exploitation
An attacker must have valid administrator-level credentials for the WordPress site. With those credentials, the attacker can navigate to the plugin's settings page and inject malicious code into the vulnerable input field. No additional user interaction or special network position is required beyond standard admin access. The injected code is then executed in the context of the WordPress server.
Impact
Successful exploitation allows the attacker to execute arbitrary PHP code on the server. This can lead to full compromise of the WordPress site, including data theft, privilege escalation, defacement, or use of the server for further attacks. The attacker gains the same privileges as the web server user, typically resulting in complete control over the site and its data.
Mitigation
The vulnerability is fixed in version 6.5.3 of the plugin. However, as of June 4, 2024, the plugin has been closed and removed from the WordPress.org plugin directory due to a security issue [1]. No patched version is being distributed through official channels. Users who have the plugin installed should uninstall it immediately and migrate to an alternative solution. No workaround is available.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WordPress/yikes-inc-easy-mailchimp-extenderdescription
- Range: <6.5.3
Patches
0yikes-inc-easy-mailchimp-extenderThis plugin has been removed from the WordPress.org directory on 2024-06-04 (reason: Security Issue). No patched version is being distributed through the official directory. Users who have it installed should uninstall it.
Source: api.wordpress.org · directory page
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- wordpress.org/plugins/yikes-inc-easy-mailchimp-extender/mitrex_refsource_MISC
- wpvulndb.com/vulnerabilities/9583mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.