Reflected XSS in MailChimp for WordPress could allow an attacker to do almost anything an admin user can

Score Vector Complexity Authentication Confidentiality Integrity Availability
Network Medium None Partial Partial None

You can read more about CVSS base scores on Wikipedia or in the CVSS specification.


If an attacker can trick a logged-in admin user into visiting a particular URL, they can execute JavaScript in the user’s browser which can perform almost any action that the user can.

Proof of concept

Assuming you have the site running on http://localhost/ with the plugin activated, visit this URL in a browser without reflected XSS mitigation measures (i.e. Firefox):


Mitigation/further actions

Update to version 4.0.11 or later.