Blind SQL injection vulnerability in Mailchimp for WordPress form

  • Resolved jfilley

    (@jfilley)


    10 years, 6 months ago

    Hi, I have received a warning from Sitelock that our mailchimp form has a blind SQL injection vulnerability. I called Sitelock and they suggested I upgrade the plugin, which I did (2.3.14 to 2.3.18). However I don’t see anything in the plug-in changelog about correcting any vulnerability issues. Does this sound like a plugin issue? Any suggestions on how to remedy other than paying Sitelock $39/month for firewall protection?

    Thank you, Joanne

    https://wordpress.org/plugins/mailchimp-for-wp/

Viewing 3 replies - 1 through 3 (of 3 total)
  • mother.of.code

    (@imazed)

    The Mother of Code

    10 years, 6 months ago

    Hi Joanne,

    I just wanted to let you know that we’ve read your message and it’s being passed on to our developer. We’ll get back to you a.s.a.p.!

    Ron5

    (@ron5)

    10 years, 3 months ago

    Has this already been fixed?

    Are the forms from this plugin protected against cross site scripting as well?

    Plugin Author Danny van Kooten

    (@dvankooten)

    10 years, 3 months ago

    Hi Ron,

    Yes, this was actually false alarm, so never an issue to begin with. You can be certain that there are no known security vulnerabilities in the plugin.

    If a vulnerability is found, we’ll work with WordPress to push out an automatic update of the plugin correcting ONLY the vulnerability as fast as humanly possible.

    Regarding CSRF:

    – All admin actions are 100% CSRF protected.
    – Public forms are not using any special anti-CSRF measures as of a few versions ago. This is intentional. You can however easily enable CSRF protection by adding a plugin like Goodbye Captcha to the mix, which comes with built-in integration for MailChimp for WordPress.

    Hope that helps. If not, let me know!

Viewing 3 replies - 1 through 3 (of 3 total)

The topic ‘Blind SQL injection vulnerability in Mailchimp for WordPress form’ is closed to new replies.