WordPress.org

Ready to get started?Download WordPress

Forums

MailChimp List Subscribe Form
widget failed security test (4 posts)

  1. Samantha
    Member
    Posted 3 years ago #

    Hello,

    I have a WP site that uses Security Metrics to run vulnerability tests periodically to be PCI compliant.

    When they ran that last test, they found that the MailChimp widget was vulnerable to xss javascript attacks. They also made me aware of where the code needed sanitization:

    <div id="mailchimp-widget" class="widget mailchimpSF_display_widget">	<a name="mc_signup_form"></a>
    	<h3>Sign up for Astro News</h3>    <div id="mc_signup_container">
    	<form method="post" action="/?\"><script>alert(123)</script>#mc_signup_form" id="mc_signup_form">

    Can I get some help on this? Thank you.

    -Samantha

  2. Brian Hatano
    Member
    Posted 3 years ago #

    You check with the MailChimp people?

  3. mc_jesse
    Member
    Posted 3 years ago #

    I haven't tracked down a way to do that. Do you happen to be on a Windows host? If so this may be the actual problem:
    http://neosmart.net/blog/2006/100-apache-compliant-request_uri-for-iis-and-windows/

    If not, did they happen to give any details on how they injected that?

  4. Samantha
    Member
    Posted 3 years ago #

    @Brian Yes, they told me to post here.

    @mc_jesse I am on Linux. Yes, by typing js code with special characters into the form after what appears to be an appropriate email.

    In the meantime, I am going to use Gravity Forms MailChimp add-on.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic