CVE-2023-1323: 
WordPress vulnerability analysis and mitigation

The Easy Forms for Mailchimp WordPress plugin before version 6.8.9 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered and publicly published on March 9, 2023, affecting the plugin 'yikes-inc-easy-mailchimp-extender'. The issue stems from the plugin's failure to properly sanitize and escape form parameters (WPScan).

The vulnerability is classified as a Stored Cross-Site Scripting (XSS) issue with a CVSS score of 3.5 (low severity) and is mapped to CWE-79. The security flaw exists because the plugin does not sanitize and escape some of its form parameters, which could allow high privilege users such as administrators to perform Stored Cross-Site Scripting attacks, even when the unfiltered_html capability is disallowed, such as in multisite setups (WPScan).

The vulnerability allows high-privilege users to inject malicious scripts that can be triggered when viewing the form list in the admin panel (/wp-admin/admin.php?page=yikes-inc-easy-mailchimp) for versions 6.8.8 and earlier. Additionally, in versions prior to 6.8.7, the XSS payload can also be triggered on pages or posts where the form is embedded via shortcode (WPScan).

The vulnerability has been fixed in version 6.8.9 of the Easy Forms for Mailchimp WordPress plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).