Cyber Resilience

CVE-2023-2518

MediumPublic PoC

Published: 30 May 2023

Published
30 May 2023
Modified
10 January 2025
KEV Added
Patch
CVSS Score v3.1 6.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EPSS Score 0.1507 94.7th percentile
Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-2518 is a medium-severity an unspecified weakness vulnerability in Yikesinc Easy Forms For Mailchimp. Its CVSS base score is 6.1 (Medium).

Operationally, ranked in the top 5.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

The vulnerability is a reflected cross-site scripting flaw in the Easy Forms for Mailchimp WordPress plugin prior to version 6.8.9. When the debug option is enabled, the plugin fails to sanitize and escape a parameter before echoing it back into the page, producing the reflected XSS condition described in the CVE.

An unauthenticated attacker can exploit the issue by supplying a crafted request that triggers script execution in the browser of a high-privilege user such as an administrator who follows a malicious link. Successful exploitation can result in limited confidentiality and integrity impacts within the affected site, consistent with the reported CVSS 6.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N).

The two referenced WPScan entries document the vulnerability and identify the fixed release (6.8.9) as the corrective version. The EPSS score has remained flat at 0.1507 with no material increase after disclosure.

EU & UK References

Vulnerability details

The Easy Forms for Mailchimp WordPress plugin before 6.8.9 does not sanitise and escape a parameter before outputting it back in the page when the debug option is enabled, leading to a Reflected Cross-Site Scripting which could be used against…

more

high privilege users such as admin.

CWE(s)
None listed

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

yikesinc
easy forms for mailchimp
≤ 6.8.8

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References