Plugin v6.8.8 is vulnerable to Cross Site Scripting (XSS)

Thanks for posting this question…I was just going to do the same thing.

As was I. Especially concerned as the text in the vulnerability report saying:

“2023-02-08 – vendor (YIKES) notified about the vulnerability 2023-05-11 – we tried to notify the vendor (YIKES) again and got the answer that the plugin/business is sold to another company (EH Dev Shop). We notified the new vendor the same day. 2023-05-17 – still no reply from the vendor (EH Dev Shop).”

I would like to understand (like I suspect others would) whether this plugin is still being actively maintained or has now been abandoned — so I can make decisions on whether to migrate to alternatives.

Please can someone at the developers at least confirm that work on a new update to address this vulnerability is being done.

The announcement about the plugins is here https://www.yikesinc.com/eh-dev-shop-acquires-yikes-plugins and the new developer’s website showing the plugins in their catalog is here https://www.evan-herman.com/wordpress/plugins/

• This reply was modified 1 year, 6 months ago by Andrew M.
• This reply was modified 1 year, 6 months ago by Andrew M.

@yikesinc

Can you address this issue please?

Hello @waterfire

Our plugin business was acquired by EH Dev Shop. https://www.yikesinc.com/eh-dev-shop-acquires-yikes-plugins/

We are no longer involved with selling or supporting the plugins.

Thank you.
-Tracy

@eherman24 – Are you going to address this issue?

Hey there,

We use this plugin on a client website and I request an update, can it be provided within two weeks?

Thank you,

Robert

I’ve sent a contact form message to Evan through his website with a link to this post to ask if / when an update will be available.

Cheers,
Karen

• This reply was modified 1 year, 6 months ago by karenkisswp.
• This reply was modified 1 year, 6 months ago by karenkisswp.

I have also sent a contact form to @eherman24 on Monday 22nd May and still have not seen/heard any confirmation that there will be a fix.

This plugin is shown as an active plugin on his website https://www.evan-herman.com/wordpress-plugin/easy-mailchimp-forms/ although the copyright notice “? 2013-2016 EH Dev Shop”, the lack of a specific support channel for it on his site is also a concern and his apparent lack of activity for nearly 2 months is all concerning.

When does one decide that a plugin is abandoned and needs to be replaced? And has anyone got a recommended way to migrate this to MC4WP (which seems to be the best alternative) with all the ease and useful features that this has compared with the relative complexity of MC4WP?

Thanks @andrewlmacaulay and @karenkisswpwebsites for contacting the new developer. I was messing around with the MC4WP plug-in as a backup and it is not as user-friendly, but I was able to reconnect to Mailchimp and use their form (not an integration) to make it work. It’s funny the MC4WP plug-in knowledge base/help site is so focused on integrations and doesn’t have good directions on how to use their own form…I guess maybe they think it was obvious. I finally realized after I installed the plugin, connected mailchimp, I just when the the Form page within the plugin and made it there. It generate a code to place on your page or widget. It’s a bummer, I liked WordPress Easy Forms better…their zero response isn’t a good omen. Now I have this new one set up, I’ll probably keep it.

I sent Evan several messages via Slack. I’m still operating on the assumption that he didn’t purchase this plugin from @yikesinc just to run it into the ground.

Time will tell I guess.

@waterfire have you seen any response from Evan on Slack. I’ve not had anything back from @eherman24? so far – not looking good, and starting to feel like abandonware, which is a shame.

@andrewlmacaulay

I haven’t heard anything. I deleted the plugin yesterday. Definitely a shame.

Apparently @eherman24 patched this plugin today.

@waterfire Correct. 6.8.9 was pushed out today. I was working directly with the security review team to get this patched, but unfortunately I was traveling and have had a few personal things popup these last few months that have hindered my ability to get the work done.

I am sorry to hear that you’ve removed the plugin, but I do understand.

I will be more on top of things moving forward, for those who have stuck around. Again, I am sorry for those who have had to wait.

@eherman24, understood. I got the feeling based on your Slack status that you may be dealing with some personal difficulty. Thanks for following up. You have a good plugin here, I wish you and your future customers the best going forward.