Description
The Single Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'single-mailchimp' shortcode in all versions up to, and including, 1.4. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes (autocomplete, label, placeholder, btn_text, success_msg, error_msg) which are concatenated directly into HTML output by the single_mailchimp() function in shortcodes.php. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Published: 2026-05-27
Score: 6.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stored XSS flaw allows a contributor‑level user or higher to embed malicious scripts into a page that will run for any visitor of that page. The vulnerability originates from the plugin’s shortcodes where attributes such as autocomplete, label, placeholder, btn_text, success_msg, and error_msg are concatenated directly into HTML output without proper sanitization or escaping, as described in the plugin’s source code. The flaw can lead to theft of user credentials, defacement, or other client‑side attacks, compromising the confidentiality, integrity, and availability of the site’s data.

Affected Systems

WordPress sites that have the Single Mailchimp plugin installed with a version of 1.4 or earlier. The plugin is released by Jonathan Robbrecht under the identifier jonathan-robrecht:Single Mailchimp.

Risk and Exploitability

The CVSS score of 6.4 indicates moderate severity. No EPSS data is available, but the lack of a KEV listing suggests that no widespread exploitation data exists as of this assessment. The attack requires authenticated access with contributor privileges or higher, and success depends on the attacker’s ability to create or edit page content that includes the vulnerable shortcode. Once embedded, the malicious script executes for all users who view the affected page.

Generated by OpenCVE AI on May 27, 2026 at 07:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest available version of Single Mailchimp or apply the vendor’s official patch if it has been released.
  • If no patch is available, remove the ‘single-mailchimp’ shortcode from existing content or restrict its usage to administrators only.
  • Implement a strong content security policy to block execution of injected scripts and mitigate XSS risk.
  • Continuously monitor web logs and user activity for unusual shortcode manipulation or script injections.

Generated by OpenCVE AI on May 27, 2026 at 07:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Jonathan-robrecht
Jonathan-robrecht single Mailchimp
Wordpress
Wordpress wordpress
Vendors & Products Jonathan-robrecht
Jonathan-robrecht single Mailchimp
Wordpress
Wordpress wordpress

Wed, 27 May 2026 06:30:00 +0000

Type Values Removed Values Added
Description The Single Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'single-mailchimp' shortcode in all versions up to, and including, 1.4. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes (autocomplete, label, placeholder, btn_text, success_msg, error_msg) which are concatenated directly into HTML output by the single_mailchimp() function in shortcodes.php. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
Title Single Mailchimp <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Jonathan-robrecht Single Mailchimp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-27T10:40:01.426Z

Reserved: 2026-05-18T20:18:00.425Z

Link: CVE-2026-8868

cve-icon Vulnrichment

Updated: 2026-05-27T10:39:56.257Z

cve-icon NVD

Status : Received

Published: 2026-05-27T07:16:16.220

Modified: 2026-05-27T07:16:16.220

Link: CVE-2026-8868

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:07:46Z

Weaknesses