MailChimp for WordPress <= 4.1.6 - Authenticated Cross-Site Scripting (XSS)

2017-09-08T00:00:00
ID WPVDB-ID:9D9BB5A6-AC66-43B9-8811-4490F5EAAA78
Type wpvulndb
Reporter Karim El Ouerghemmi
Modified 2019-11-01T15:36:01

Description

Usage of the output of add_query_arg() without escaping in various places in the WordPress Backend leads to reflected XSS vulnerability.

PoC

URL/wp-admin/admin.php?page=mailchimp-for-wp-integrations&">