Vulnerabilities ›

CVE-2026-8868

Medium

CWE-79 — Weakness Type

                    Published: May 27, 2026                      ·  Modified: May 30, 2026                      ·  Source: NVD                

CVSS v3

6.4

🔗 NVD Official

📄 Description (English)

The Single Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'single-mailchimp' shortcode in all versions up to, and including, 1.4. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes (autocomplete, label, placeholder, btn_text, success_msg, error_msg) which are concatenated directly into HTML output by the single_mailchimp() function in shortcodes.php. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

🤖 AI Executive Summary

The Single Mailchimp WordPress plugin (versions ≤1.4) contains a Stored Cross-Site Scripting (XSS) vulnerability in shortcode attributes that allows authenticated contributors to inject malicious scripts. While requiring contributor-level access, the vulnerability poses significant risk to Saudi organizations using WordPress for public-facing websites, particularly those handling customer data or marketing communications. No patch is currently available, requiring immediate compensating controls.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 28, 2026 11:49

🇸🇦 Saudi Arabia Impact Assessment

High impact for Saudi e-commerce, banking digital marketing, government public portals, and healthcare websites using WordPress with Mailchimp integration. Banking sector (SAMA-regulated) faces reputational and compliance risks if customer data is compromised through XSS injection. Government agencies (NCA oversight) using WordPress for citizen services could face data breach incidents. Telecom and retail sectors heavily reliant on WordPress marketing sites are particularly vulnerable. The vulnerability requires authenticated access, limiting exposure but affecting internal security posture and third-party contractor risks.

🏢 Affected Saudi Sectors

Banking and Financial Services Government and Public Administration Healthcare and Medical Services E-commerce and Retail Telecommunications Energy and Utilities Education Media and Publishing

🎯 MITRE ATT&CK Techniques

T1190 - Exploit Public-Facing Application T1598 - Phishing T1566 - Phishing: Email T1204 - User Execution T1059 - Command and Scripting Interpreter T1539 - Steal Web Session Cookie T1056 - Input Capture

⚖️ Saudi Risk Score (AI)

6.8

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Audit all WordPress installations using Single Mailchimp plugin ≤v1.4 across your organization

2. Restrict contributor-level access to only trusted personnel; review and revoke unnecessary contributor accounts

3. Disable the plugin immediately if not actively used; if required, isolate affected pages from public access

4. Review all pages/posts using 'single-mailchimp' shortcodes for signs of XSS injection (unusual script tags, onclick handlers, onerror attributes)



COMPENSATING CONTROLS:

5. Implement Web Application Firewall (WAF) rules to detect and block XSS payloads in shortcode attributes (autocomplete, label, placeholder, btn_text, success_msg, error_msg)

6. Enable WordPress security plugins (Wordfence, Sucuri) with XSS detection and Content Security Policy (CSP) headers

7. Apply strict Content Security Policy headers: script-src 'self'; object-src 'none'; base-uri 'self'

8. Implement input validation at database level for shortcode attributes

9. Monitor WordPress user activity logs for suspicious shortcode modifications

10. Conduct code review of any custom modifications to shortcodes.php



DETECTION:

11. Search WordPress database for shortcodes containing: <script, javascript:, onerror=, onclick=, onload=

12. Monitor access logs for POST requests modifying pages with single-mailchimp shortcodes

13. Alert on any contributor account creating/modifying posts with shortcodes containing HTML/JS

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تدقيق جميع تثبيتات WordPress التي تستخدم مكون Single Mailchimp ≤v1.4 عبر مؤسستك

2. تقييد وصول المساهم إلى الموظفين الموثوقين فقط؛ مراجعة وإلغاء حسابات المساهمين غير الضرورية

3. تعطيل المكون فوراً إذا لم يكن قيد الاستخدام النشط؛ إذا لزم الأمر، عزل الصفحات المتأثرة عن الوصول العام

4. مراجعة جميع الصفحات/المنشورات التي تستخدم اختصارات 'single-mailchimp' للبحث عن علامات حقن XSS

الضوابط التعويضية:

5. تطبيق قواعد جدار حماية تطبيقات الويب (WAF) للكشف عن حمولات XSS وحجبها في سمات الاختصار

6. تفعيل مكونات أمان WordPress (Wordfence, Sucuri) مع رؤوس Content Security Policy

7. تطبيق رؤوس Content Security Policy الصارمة: script-src 'self'; object-src 'none'

8. تطبيق التحقق من صحة الإدخال على مستوى قاعدة البيانات

9. مراقبة سجلات نشاط مستخدمي WordPress للتعديلات المريبة على الاختصارات

10. إجراء مراجعة الكود لأي تعديلات مخصصة على shortcodes.php

الكشف:

11. البحث في قاعدة بيانات WordPress عن اختصارات تحتوي على: <script, javascript:, onerror=, onclick=

12. مراقبة سجلات الوصول لطلبات POST تعديل الصفحات

13. التنبيه على أي حساب مساهم ينشئ/يعدل منشورات تحتوي على HTML/JS

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.2.1 - Input validation and output encoding controls 5.3.1 - Access control for content management systems 5.4.1 - Monitoring and logging of security events 6.2.1 - Vulnerability management and patching

🔵 SAMA CSF

ID.GV-1 - Organizational processes to manage cybersecurity risk PR.AC-1 - Access control policy and procedures PR.DS-1 - Data security measures including input validation DE.CM-1 - Detection and monitoring of unauthorized access RS.RP-1 - Response and recovery planning

🟡 ISO 27001:2022

A.5.15 - Access control A.6.5.2 - Secure development policy A.8.2.3 - Segregation of duties A.12.2.1 - Input validation A.12.6.1 - Management of technical vulnerabilities

🟣 PCI DSS v4.0.1

6.5.1 - Injection flaws prevention 6.5.7 - Cross-site scripting (XSS) prevention 6.2 - Security patches and updates 7.1 - Limit access to system components

🔗 References & Sources 3

🔗

https://plugins.trac.wordpress.org/browser/single-mailchimp/trunk/shortcodes.php#L23

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/single-mailchimp/trunk/shortcodes.php#L9

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/070616c9-b6a3-43d9-a82d-5cbcf...

security@wordfence.com

📊 CVSS Score

6.4

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeC — Changed

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score6.4

CWECWE-79

EPSS0.03%

Exploit No

Patch ✗ No

Published 2026-05-27

Source Feed nvd

🇸🇦 Saudi Risk Score

6.8

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-79

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-8868

Introduce Yourself

Sign In Required