WPScan says it was fixed in 4.8.7.
It would be nice for it to be listed as an issue that was fixed in the 4.8.7 changelog, though.
Plugin Contributor
Lap
(@lapzor)
Hi, it is mentioned in the release notes:
– Only allow unfiltered HTML if user has unfiltered_html capability. Please read the below.
https://ww.wp.xz.cn/plugins/mailchimp-for-wp/#developers
Note that MC4WP does allow you to use javascript in your form code, this is by design.
Only Administrators can edit the forms. Of course a WordPress Administrator can also normally also upload plugins that would execute any arbitrary code on the server and we wouldn’t see that as a vulnerability, but as a feature. Similarly we find the option of adding javascript to the form a feature and not a bug.
However, we did add the option to block all such scripts if unfiltered_html is not set to not be allowed in your WordPress.
Hope that helps. If you have any questions, please let me know!
