MEDIUM
jonathan-robrecht
CVE published 2026-05-27
CVE-2026-8868
The Single Mailchimp plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting versions up to and including 1.4. The flaw resides in the `single_mailchimp()` shortcode handler (shortcodes.php), which fails to sanitize or escape user-supplied attributes—`autocomplete`, `label`, `placeholder`, `btn_text`, `success_msg`, and `error_msg`—before concatenating them into HTML outp [truncated]