CVE-2023-4925: 
WordPress vulnerability analysis and mitigation

The Easy Forms for Mailchimp WordPress plugin through version 6.8.10 contains a Cross-Site Scripting (XSS) vulnerability. The plugin does not properly sanitize and escape some of its settings, which could allow high-privilege users such as administrators to perform Cross-Site Scripting attacks even when unfiltered_html is disallowed (WPScan, NVD).

The vulnerability is tracked as CVE-2023-4925 and has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The issue stems from improper neutralization of input during web page generation (CWE-79). The vulnerability affects versions up to and including 6.8.10 of the plugin (NVD).

When exploited, this vulnerability allows high-privilege users to inject malicious JavaScript code into the plugin settings. This can lead to stored XSS attacks that execute when other users access specific pages, potentially compromising their sessions or leading to other client-side attacks (WPScan).

The vulnerability has been fixed in version 6.9.0 of the Easy Forms for Mailchimp plugin. Users are advised to update to this version or later to mitigate the risk (WPScan).