CVE-2024-7489

Vulnerability

The Forms for Mailchimp by Optin Cat – Grow Your MailChimp List plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) via form color parameters in all versions up to and including 2.5.7. The vulnerability exists in the includes/eoi-functions.php file due to insufficient input sanitization and output escaping [1][2]. This allows authenticated attackers with editor-level access to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Exploitation

An attacker must have editor-level access to the WordPress site. By crafting malicious JavaScript within form color parameters (such as '{{{headline_copy}}}' or similar fields processed in the output), the attacker can store the payload in the plugin's form settings. When any user, including administrators or visitors, views the page containing the affected form, the injected script executes in their browser [1][2]. No additional user interaction is required beyond viewing the page.

Impact

Successful exploitation allows the attacker to perform actions such as stealing session cookies, redirecting users to malicious sites, or modifying page content within the context of the victim's session. The attack compromises the confidentiality and integrity of the WordPress site, potentially leading to privilege escalation if administrator credentials are captured [1][2].

Mitigation

The issue has been fixed in version 2.5.8 released on 2024-10-12, as shown in the changeset [3]. Users are strongly advised to update to the latest version. No workaround is available; updating is the only mitigation.