CVE-2021-4244: 
PHP vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in yikes-inc-easy-mailchimp-extender Plugin versions up to 6.8.5. The vulnerability affects the file admin/partials/ajax/addfieldtoform.php, where improper handling of user input through the parameters fieldname, mergetag, fieldtype, and list_id could lead to cross-site scripting attacks. The vulnerability was addressed with the release of version 6.8.6 on December 17, 2021 (GitHub Release).

The vulnerability is classified as a Reflected Cross-Site Scripting issue (CWE-79) with a CVSS v3.1 Base Score of 6.1 (MEDIUM) and vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N. The issue stems from insufficient sanitization of user input in the addfieldto_form.php file, where POST parameters were directly used without proper validation or sanitization (NVD).

The vulnerability allows remote attackers to inject malicious scripts that could be executed in users' browsers when they interact with the affected components. This could potentially lead to theft of sensitive information, session hijacking, or other client-side attacks (NVD).

The vulnerability has been fixed in version 6.8.6 of the yikes-inc-easy-mailchimp-extender plugin. The fix includes implementing proper sanitization of user input using WordPress's sanitizetextfield() function for all affected POST parameters. Users are advised to upgrade to version 6.8.6 or later to address this security issue (GitHub Commit).