WordPress Forms for Mailchimp by Optin Cat Plugin <= 2.5.4 is vulnerable to Cross Site Scripting (XSS)

Vulnerability

Auth. (editor+) Stored Cross-Site Scripting (XSS) vulnerability exists in Fatcat Apps’ Forms for Mailchimp by Optin Cat – Grow Your MailChimp List plugin versions <= 2.5.4. The issue allows users with editor-level access or higher to inject arbitrary JavaScript into Mailchimp forms via the form creation interface, which is then stored and executed when other users (including administrators) view the affected form [1].

Exploitation

An attacker must have an editor, author, or administrator role on the WordPress site. The attacker crafts a Mailchimp form containing malicious JavaScript in one of the input fields (e.g., form title, description, or custom HTML fields). Once the form is saved, the payload is stored in the database. When any user (including site visitors or other admins) views the page or widget displaying that form, the injected script executes in their browser session [1]. No additional user interaction beyond loading the page is required.

Impact

Successful exploitation leads to stored XSS, enabling the attacker to execute arbitrary JavaScript in the context of the victim's browser. This can result in session hijacking, credential theft, defacement, or redirection to malicious sites. The attacker does not gain direct server-level control but can compromise administrative accounts if an admin views the poisoned form [1].

Mitigation

The vulnerability is fixed in version 2.6.2 of the plugin, released on 2026-04-11 [1]. Users are strongly advised to update to version 2.6.2 or later. No workaround is available, and the plugin should not be used without the update. The plugin is not currently listed on CISA's Known Exploited Vulnerabilities catalog.