CVE-2026-8868
Description
The Single Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'single-mailchimp' shortcode in all versions up to, and including, 1.4. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes (autocomplete, label, placeholder, btn_text, success_msg, error_msg) which are concatenated directly into HTML output by the single_mailchimp() function in shortcodes.php. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Single Mailchimp plugin for WordPress ≤1.4 has Stored XSS via unsanitized shortcode attributes, allowing contributor+ users to inject scripts.
Vulnerability
The Single Mailchimp plugin for WordPress versions up to and including 1.4 contains a Stored Cross-Site Scripting (XSS) vulnerability in the single-mailchimp shortcode. The single_mailchimp() function in shortcodes.php directly concatenates user-supplied shortcode attributes — autocomplete, label, placeholder, btn_text, success_msg, and error_msg — into the generated HTML output without proper input sanitization or output escaping [1][2]. This allows any authenticated user with contributor-level access or higher to supply malicious JavaScript payloads through these attributes, which become part of the page content and are stored persistently.
Exploitation
An attacker must have a WordPress account with at least contributor-level permissions, enabling them to create or edit posts/pages that support shortcodes. The attacker inserts the [single-mailchimp] shortcode and sets one or more of the vulnerable attributes to a crafted string, for example autocomplete="". When the post or page is visited by any user (including administrators or site visitors), the injected script executes in the context of the victim's browser session. No additional user interaction beyond visiting the affected page is required.
Impact
Successful exploitation results in arbitrary JavaScript execution within the victim's browser. An attacker can perform actions such as stealing session cookies, redirecting users to malicious sites, defacing the page, or performing actions on behalf of the authenticated victim. The attack is persistent (stored), meaning the injected script remains on the page until removed, affecting all subsequent visitors.
Mitigation
As of the publication date (2026-05-27), no patched version has been released. The vendor is expected to produce an updated version with proper escaping of shortcode attributes. In the interim, site administrators should restrict contributor-level and higher access to trusted users only, and consider using a Web Application Firewall (WAF) to block known XSS payloads. If the shortcode is not actively used, removing the plugin entirely is a viable workaround.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=1.4+ 1 more
- (no CPE)range: <=1.4
- (no CPE)range: <=1.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.