PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8868 jonathan-robrecht CVE debrief

The Single Mailchimp plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting versions up to and including 1.4. The flaw resides in the `single_mailchimp()` shortcode handler (shortcodes.php), which fails to sanitize or escape user-supplied attributes—`autocomplete`, `label`, `placeholder`, `btn_text`, `success_msg`, and `error_msg`—before concatenating them into HTML output. Authenticated attackers with contributor-level privileges or higher can inject arbitrary JavaScript via these shortcode attributes. The injected scripts execute in the context of any user viewing the affected page, enabling session hijacking, credential theft, or administrative action abuse. The vulnerability was disclosed on 2026-05-27 and carries a CVSS 3.1 score of 6.4 (Medium severity). No known exploitation in the wild or ransomware campaign use has been reported.

Vendor
jonathan-robrecht
Product
Single Mailchimp
CVSS
MEDIUM 6.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-27
Original CVE updated
2026-05-27
Advisory published
2026-05-27
Advisory updated
2026-05-27

Who should care

WordPress site administrators using Single Mailchimp plugin; security teams managing WordPress content management workflows; developers maintaining forked or customized versions of the plugin.

Technical summary

The `single_mailchimp()` function in shortcodes.php directly interpolates shortcode attributes into HTML without sanitization or escaping. Affected attributes: autocomplete, label, placeholder, btn_text, success_msg, error_msg. Attack vector: authenticated HTTP POST to create/edit post with malicious shortcode. Impact: arbitrary script execution in victim browser with privileges of viewing user.

Defensive priority

medium

Recommended defensive actions

  • Upgrade Single Mailchimp plugin to version 1.5 or later if available; otherwise, disable the plugin until a patch is released.
  • Apply Content Security Policy (CSP) headers to mitigate impact of any residual XSS vectors.
  • Review existing posts and pages for suspicious shortcode usage, particularly `[single-mailchimp]` with non-standard attribute values.
  • Restrict contributor and author roles to trusted users pending patch availability.
  • Enable WordPress automatic plugin updates for security releases to reduce exposure window.

Evidence notes

Vulnerability confirmed via Wordfence advisory and WordPress plugin repository source code review (shortcodes.php lines 9 and 23). CWE-79 classification applied. CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N.

Official resources

2026-05-27