CVE-2026-4868 Single Mailchimp <= 1.4 Authenticated Stored XSS Vulnerability Advisory

Vulnerability Overview Vulnerability Name: Single Mailchimp <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes CVE Number: CVE-2026-4868 CVSS Score: 6.4 (Medium) Published Date: May 26, 2026 Last Updated: May 27, 2026 Researcher: Gilang - DJ Scope of Impact Software Type: Plugin Software Name: single-mailchimp Affected Versions: <= 1.4 Patch Status: No known patch Remediation Recommended Action: Please review the vulnerability details in detail and take mitigation measures according to your organization's risk tolerance. It may be necessary to uninstall the affected software and look for alternatives. Vulnerability Description The Single Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS). This vulnerability exists in all versions, including 1.4. The cause is insufficient input validation and output escaping, which allows user-supplied shortcode attributes (such as autocomplete, label, placeholder, btn, text, success, msg, error, msg) to inject arbitrary web scripts when directly concatenated into HTML output. This injection occurs via the function in . This allows authenticated attackers (Contributor role and above) to execute malicious scripts when users visit the injected page. References plugins.trac.wordpress.org Share Options Facebook Twitter LinkedIn Email Additional Information Business Hours: 9am-6pm ET, 6am-5pm PT, and 2pm-1am UTC/GMT (excluding weekends and holidays) Support Service: 24/7 support, 365 days a year, 1-hour response time Copyright Information Copyright: © 2012-2026 Defiant Inc. All Rights Reserved Other Links Terms of Service Privacy Policy and Notice at Collection Do Not Sell or Share My Personal Information Social Media X (Twitter) Facebook Instagram LinkedIn Subscription Subscribe to news and updates Enter email address Agree to Terms of Service and Privacy Policy Products and Support Products Support News About Contact Information Contact Security CVE Request Form Other Wordfence Free Wordfence Premium Wordfence Care Wordfence Response Wordfence CLI Wordfence Central Documentation Documentation Learning Center Free Support Premium Support News Blog In The News Vulnerability Advisories About About Wordfence Affiliate Program Employment Subscription Sign up for news and updates from our panel of experienced security professionals. Subscription Form Enter email address Agree to Terms of Service and Privacy Policy Submit button Copyright © 2012-2026 Defiant Inc. All Rights Reserved Other Wordfence Intelligence Vulnerability Database Single Mailchimp <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Vulnerability Details Software Type: Plugin Software Name: single-mailchimp Affected Versions: <= 1.4 Patch Status: No known patch Remediation Recommendations Please review the vulnerability details in detail and take mitigation measures according to your organization's risk tolerance. It may be necessary to uninstall the affected software and look for alternatives. References plugins.trac.wordpress.org Share Options Facebook Twitter LinkedIn Email Additional Information Business Hours: 9am-6pm ET, 6am-5pm PT, and 2pm-1am UTC/GMT (excluding weekends and holidays) Support Service: 24/7 support, 365 days a year, 1-hour response time Copyright Information Copyright: © 2012-2026 Defiant Inc. All Rights Reserved Other Links Terms of Service Privacy Policy and Notice at Collection Do Not Sell or Share My Personal Information Social Media X (Twitter) Facebook Instagram LinkedIn Subscription Subscribe to news and updates Enter email address Agree to Terms of Service and Privacy Policy Products and Support Products Support News About Contact Information Contact Security CVE Request Form Other Wordfence Free Wordfence Premium Wordfence Care Wordfence Response Wordfence CLI Wordfence Central Documentation Documentation Learning Center Free Support Premium Support News Blog In The News Vulnerability Advisories About About Wordfence Affiliate Program Employment Subscription Sign up for news and updates from our panel of experienced security professionals. Subscription Form Enter email address Agree to Terms of Service and Privacy Policy Submit button Copyright © 2012-2026 Defiant Inc. All Rights Reserved Other Wordfence Intelligence Vulnerability Database Single Mailchimp <= 1.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes Vulnerability Details Software Type: Plugin Software Name: single-mailchimp Affected Versions: <= 1.4 Patch Status: No known patch Remediation Recommendations Please review the vulnerability details in detail and take mitigation measures according to your organization's risk tolerance. It may be necessary to uninstall the affected software and look for alternatives. References plugins.trac.wordpress.org Share Options Facebook Twitter LinkedIn Email Additional Information Business Hours: 9am-6pm ET, 6am-5pm PT, and 2pm-1am UTC/GMT (excl

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2026-4868 Single Mailchimp <= 1.4 Authenticated Stored XSS Vulnerability Advisory

More from this source