Security update: XSS vulnerabilities fixed in version 4.9.17

Published on by

Version 4.9.17, released last week, fixes two XSS (Cross-Site Scripting) vulnerabilities. Please update as soon as possible.

What was fixed

Reflected XSS via the {email} tag

The {email} dynamic tag — used to display a subscriber’s email address in form messages — was not properly escaping HTML characters. A malicious actor could craft a URL that caused unintended HTML or JavaScript to be rendered in the browser of anyone who clicked it. We now strip and escape all HTML from {email} tag replacements before output.

Stored XSS via interest group names

Interest group names pulled from the Mailchimp API were being displayed in the plugin’s admin interface without being escaped first. An attacker who had both WordPress administrator access and Mailchimp account access could have injected HTML through a Mailchimp interest group name. We now escape this output correctly.

Who was affected

The reflected XSS required no special access — any site running an affected version using the {email} tag was potentially at risk if a visitor could be tricked into clicking a crafted link.

The stored XSS required an attacker to have both administrator-level WordPress access and access to the connected Mailchimp account, which significantly limits the real-world exposure. That said, defence in depth matters, and this was wrong regardless of how impossible it was to exploit.

Credit

Thank you to kauenavarro for responsibly disclosing the reflected XSS issue, and to Jorge Diaz (ddiax) for responsibly disclosing the stored XSS issue. Both researchers gave us time to fix and release the update before making their findings public.

What you should do

Update to version 4.9.17 or later immediately. You can do this from the Plugins screen in your WordPress admin, or by downloading from WordPress.org.

Questions? Get in touch.