FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial
FeedlyFeedly
CVEsCVEs
Threat IntelligenceThreat Intelligence
Threat IntelligenceThreat Intelligence
Log in
ChangelogChangelog
ChangelogChangelog
Log in
Log in
Start Free Trial
Start Free Trial

CVE-2024-8680

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) (CWE-80)

Published: Sep 21, 2024 / Updated: 59d ago

010
CVSS 5.5EPSS 0.1%Medium
CVE info copied to clipboard

Summary

The MC4WP: Mailchimp for WordPress plugin is vulnerable to Stored Cross-Site Scripting via admin settings in versions up to and including 4.9.16. This vulnerability is due to insufficient input sanitization and output escaping. It affects multi-site installations and installations where unfiltered_html has been disabled.

Impact

This vulnerability allows authenticated attackers with administrator-level permissions or higher to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an injected page. This can lead to various attacks, including theft of sensitive data, session hijacking, or manipulating the affected site's content for malicious purposes. The impact is somewhat limited due to the high privileges required for exploitation.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is available. The vulnerability has been fixed in version 4.9.17 of the MC4WP: Mailchimp for WordPress plugin. Users should update to this version or later to mitigate the vulnerability.

Mitigation

1. Update the MC4WP: Mailchimp for WordPress plugin to version 4.9.17 or later. 2. If immediate updating is not possible, consider temporarily disabling the plugin on multi-site installations or where unfiltered_html is disabled. 3. Implement the principle of least privilege, ensuring that administrator access is strictly limited to trusted users. 4. Regularly audit administrator-level accounts and their activities. 5. Implement Web Application Firewall (WAF) rules to detect and block XSS attempts. 6. Educate users about the risks of clicking on suspicious links or interacting with unexpected content on the website.

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N

Timeline

First Article

Feedly found the first article mentioning CVE-2024-8680. See article

Sep 21, 2024 at 8:49 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as LOW

Sep 21, 2024 at 8:49 AM
CVE Assignment

NVD published the first details for CVE-2024-8680

Sep 21, 2024 at 9:15 AM
CVSS

A CVSS base score of 4.4 has been assigned.

Sep 21, 2024 at 9:20 AM / nvd
EPSS

EPSS Score was set to: 0.1% (Percentile: 42%)

Sep 22, 2024 at 11:59 AM
CVSS

A CVSS base score of 5.5 has been assigned.

Sep 27, 2024 at 1:55 PM / nvd
Static CVE Timeline Graph

Affected Systems

Ibericode/mailchimp
+null more

Patches

github.com
+null more

Attack Patterns

CAPEC-18: XSS Targeting Non-Script Elements
+null more

News

WordPress Vulnerability & Patch Roundup September 2024
unSafe.sh - 不安全 / 50d
Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8440 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor <= 6.0.3 Patched Versions: Essential Addons for Elementor 6.0.4 Vulnerability: Cross Site Scripting (XSS) CVE: N/A Number of Installations: 800,000+ Affected Software: Ninja Forms <= 3.8.10 Patched Versions: Ninja Forms 3.8.11
WordPress Vulnerability &amp; Patch Roundup September 2024
unSafe.sh - 不安全 / 50d
Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8440 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor <= 6.0.3 Patched Versions: Essential Addons for Elementor 6.0.4 Vulnerability: Cross Site Scripting (XSS) CVE: N/A Number of Installations: 800,000+ Affected Software: Ninja Forms <= 3.8.10 Patched Versions: Ninja Forms 3.8.11
WordPress Vulnerability &amp; Patch Roundup September 2024
WordPress Security News & Updates | Sucuri / 50d
Vulnerability: Cross Site Scripting (XSS) CVE: CVE-2024-8440 Number of Installations: 2,000,000+ Affected Software: Essential Addons for Elementor <= 6.0.3 Patched Versions: Essential Addons for Elementor 6.0.4 Vulnerability: Cross Site Scripting (XSS) CVE: N/A Number of Installations: 800,000+ Affected Software: Ninja Forms <= 3.8.10 Patched Versions: Ninja Forms 3.8.11
Update Sat Sep 28 14:32:32 UTC 2024
Recent Commits to cve:main / 52d
Update Sat Sep 28 14:32:32 UTC 2024
Wordfence Intelligence Weekly WordPress Vulnerability Report (September 16, 2024 to September 22, 2024)
Wordfence / 54d
Last week, there were 36 vulnerabilities disclosed in 30 WordPress Plugins and 4 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 24 Vulnerability Researchers that contributed to WordPress Security last week. The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:
See 14 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:High
User Interaction:None
Scope:Changed
Confidentiality:Low
Integrity:Low
Availability Impact:None

Categories

CVSS 5.5(34617)CWE-80(307)CWE-79(31345)Ibericode(11)

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI

Feedly Threat Intelligence30-day free trial