CVE-2024-8680: 
NixOS vulnerability analysis and mitigation

The MC4WP: Mailchimp for WordPress plugin is affected by a Stored Cross-Site Scripting vulnerability (CVE-2024-8680) in versions up to and including 4.9.16. The vulnerability was discovered and disclosed on September 21, 2024, affecting WordPress installations with the Mailchimp for WordPress plugin (NVD).

The vulnerability stems from insufficient input sanitization and output escaping in the admin settings of the plugin. This security flaw has been assigned a CVSS v3.1 base score of 5.5 (Medium) by NIST with a vector string of CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N. The vulnerability is specifically related to the handling of admin settings and only affects multi-site installations and installations where unfiltered_html has been disabled (NVD).

When exploited, this vulnerability allows authenticated attackers with administrator-level permissions to inject arbitrary web scripts into pages. These malicious scripts will execute whenever a user accesses an affected page. The impact is limited to multi-site installations and installations where unfiltered_html has been disabled (NVD).

A patch has been released to address this vulnerability. Users are advised to update their MC4WP: Mailchimp for WordPress plugin to version 4.9.17 or later. The fix includes improved input sanitization and output escaping mechanisms (Wordfence Advisory).