Login

Tag Archives: Easy Forms for MailChimp

5 Jul 2023

Issues With Plugin From New WordPress Plugin Review Team Member Raises Fresh Concern About Team

For years, Mika Epstein has been causing problems for the WordPress community in their role as the head of the WordPress Plugin Review team, which controls the WordPress Plugin Directory. Thankfully, they have now left the team for largely unexplained reasons. Before they did that, they brought in new team members without allowing the WordPress community to be involved in the process. That is in line with the decidedly non open source nature of that team, which hasn’t produced good results in so many ways (one example being vulnerable plugins being pulled and returned without the vulnerabilities being fixed).

As Mika Epstein was leaving, 6 new members of the team were announced. Considering the problems with the existing team’s security reviewer, who remains on the team, we were curious to see if new security expertise was being brought in. Looking over the new team members’ WordPress profiles, we didn’t see any indications of that. But we did run across one of them with a plugin that it was fairly easy to spot as containing vulnerabilities and another concerning issue. [Read more]

2 Mar 2020

Vulnerability Details: Reflected Cross-Site Scripting (XSS) in Easy Forms for Mailchimp

Recently a report of a cross-site scripting (XSS) vulnerability in the plugin Easy Forms for Mailchimp from Mehran Feizi was published on Packet Storm and then removed. While the report was not fully accurate, it did identify a reflected cross-site scripting (XSS) vulnerability in the plugin.

[Read more]

26 Feb 2020

Hackers May Already Be Targeting This Authenticated Persistent XSS Vulnerability in Easy Forms for Mailchimp

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. There was probing on our website today for the plugin Easy Forms for Mailchimp by requesting these files:

  • /wp-content/plugins/yikes-inc-easy-mailchimp-extender/admin/js/yikes-inc-easy-mailchimp-dashboard-widget.js
  • /wp-content/plugins/yikes-inc-easy-mailchimp-extender/public/js/form-submission-helpers.js
  • /wp-content/plugins/yikes-inc-easy-mailchimp-extender/readme.txt

In a quick check over the plugin we found that it contains numerous security issues, so we would recommend the plugin should get a thorough security review before being used. Like the previous plugins we discussed this week that look to be part of the same campaign this plugin also contains an authenticated persistent cross-site scripting (XSS) vulnerability, so that would be a likely target for the hacker. Since the plugin has 100,000+ installs, it makes it more likely a hacker can find websites that allow untrusted individuals access to WordPress accounts so they can exploit it. [Read more]

5 Jul 2019

Not Really a WordPress Plugin Vulnerability, Week of July 5

In reviewing reports of vulnerabilities in WordPress plugins to provide our customers with the best data on vulnerabilities in plugins they use we often find that there are reports for things that don’t appear to be vulnerabilities. For more problematic reports we release posts detailing why the vulnerability reports are false, but there have been a lot of that we haven’t felt rose to that level. In particular are items that are not outright false, just the issue is probably more accurately described as a bug. For those that don’t rise to level of getting their own post we now place them in a weekly post when we come across them.

Easy Forms for Mailchimp

One of the changelog entries for version 6.5.3 of Easy Forms for Mailchimp is “Fixed admin input field code injection vulnerability. Thanks to Henri Salo from Nixu Corporation for finding and reporting this to us.” The relevant change looks to involve this line: [Read more]

28 Jul 2016

Protecting You Against Wordfence’s Bad Practices: Reflected Cross-Site Scripting (XSS) Vulnerability in Easy Forms for MailChimp

Wordfence is putting WordPress website at risk by disclosing vulnerabilities in plugins with critical details needed to double check their work missing, in what appears to be an attempt to profit off of these vulnerabilities. We are releasing those details so that others can review the vulnerabilities to try to limit the damage Wordfence’s practice could cause.

Wordfence didn’t provide any description of the vulnerability beyond that it was a reflected cross-site scripting (XSS) vulnerability in Easy Forms for MailChimp version 6.1.2, but it was easy to spot with just that information. [Read more]