CVE-2023-2518
Published: 30 May 2023
Summary
CVE-2023-2518 is a medium-severity an unspecified weakness vulnerability in Yikesinc Easy Forms For Mailchimp. Its CVSS base score is 6.1 (Medium).
Operationally, ranked in the top 5.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
The vulnerability is a reflected cross-site scripting flaw in the Easy Forms for Mailchimp WordPress plugin prior to version 6.8.9. When the debug option is enabled, the plugin fails to sanitize and escape a parameter before echoing it back into the page, producing the reflected XSS condition described in the CVE.
An unauthenticated attacker can exploit the issue by supplying a crafted request that triggers script execution in the browser of a high-privilege user such as an administrator who follows a malicious link. Successful exploitation can result in limited confidentiality and integrity impacts within the affected site, consistent with the reported CVSS 6.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).
The two referenced WPScan entries document the vulnerability and identify the fixed release (6.8.9) as the corrective version. The EPSS score has remained flat at 0.1507 with no material increase after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-33998
Vulnerability details
The Easy Forms for Mailchimp WordPress plugin before 6.8.9 does not sanitise and escape a parameter before outputting it back in the page when the debug option is enabled, leading to a Reflected Cross-Site Scripting which could be used against…
more
high privilege users such as admin.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.