Improper neutralization of input during web page generation allows Stored Cross‑Site Scripting in the N‑Media Nmedia MailChimp plugin for WordPress. A crafted script can be saved by the plugin and then rendered to any user who views the affected page, potentially enabling cookie theft, session hijacking, or the injection of malicious content. Based on the description, it is inferred that the attack vector is through the plugin’s data entry interface, where an attacker’s injected script is stored and later served to other users. This reflects a typical XSS weakness (CWE‑79).

The plugin Nmedia MailChimp version 5.4 and older, across all releases from the initial version through 5.4, are affected. The vulnerability exists in the WordPress plugin supplied by N‑Media, used commonly in many sites to integrate MailChimp services.

The CVSS score of 6.5 indicates medium severity, while an EPSS score below 1 % suggests the likelihood of exploitation is currently low. The issue is not listed in the CISA KEV catalog. The exploitation path generally requires an attacker to insert malicious script via the plugin’s data entry interface, which then is stored and subsequently served to other site visitors. Because the vulnerability is stored XSS, privilege requirements depend on the plugin’s configuration; a normal user who can submit data may be able to trigger it.