Fetch Mailchimp Fields Security & Risk Analysis

wordpress.org/plugins/fetch-mailchimp-fields

This plugin looks up a Subscriber in MailChimp list and shows their merge fields.

0 active installs v1.6.1 PHP 5.6+ WP 4.0+ Updated May 4, 2019
apimailchimpmerge-fieldsshortcode
85
A · Safe
CVEs total0
Unpatched0
Last CVENever
Safety Verdict

Is Fetch Mailchimp Fields Safe to Use in 2026?

Generally Safe

Score 85/100

Fetch Mailchimp Fields has no known CVEs and is actively maintained. It's a solid choice for most WordPress installations.

No known CVEs Updated 7yr ago
Risk Assessment

The 'fetch-mailchimp-fields' v1.6.1 plugin exhibits a generally positive security posture based on the static analysis provided. The absence of any recorded CVEs, combined with zero critical or high severity taint flows, suggests a history of responsible development and patching. The plugin also demonstrates good practices by not utilizing dangerous functions and all SQL queries appear to be properly prepared, mitigating common injection risks. A non-existent attack surface from AJAX, REST API, shortcodes, and cron events is a significant strength, as it minimizes potential entry points for attackers.

However, there are some areas of concern that prevent a perfect score. The most notable is the low percentage of properly escaped output (17%). This indicates a significant risk of Cross-Site Scripting (XSS) vulnerabilities, especially if the data being output originates from user input or external sources. While the analysis shows no *currently identified* taint flows, the lack of proper escaping means that *any* future data flow into these unescaped outputs could lead to a vulnerability. Additionally, the lack of capability checks, while not a direct vulnerability in itself, represents a missed opportunity for robust access control.

In conclusion, the plugin has strong foundations with no known exploitable vulnerabilities and a minimal attack surface. The primary weakness lies in the inadequate output escaping, which poses a significant XSS risk that should be addressed. The absence of capability checks is a minor concern that could be improved for better overall security.

Key Concerns

  • Low output escaping (17%)
  • No capability checks
Vulnerabilities
None known

Fetch Mailchimp Fields Security Vulnerabilities

No known vulnerabilities — this is a good sign.
Version History

Fetch Mailchimp Fields Release Timeline

No version history available.
Code Analysis
Analyzed Mar 17, 2026

Fetch Mailchimp Fields Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
10
2 escaped
Nonce Checks
1
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

Output Escaping

17% escaped12 total outputs
Attack Surface

Fetch Mailchimp Fields Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 9
filterplugin_action_linksadmin\class-fetch-mailchimp-fields-admin.php:21
actionadmin_menuadmin\class-fetch-mailchimp-fields-admin.php:24
actionadmin_initadmin\class-fetch-mailchimp-fields-admin.php:27
actionadmin_initadmin\class-fetch-mailchimp-fields-admin.php:28
actionplugins_loadedincludes\class-fetch-mailchimp-fields.php:132
actionadmin_enqueue_scriptsincludes\class-fetch-mailchimp-fields.php:146
actionadmin_enqueue_scriptsincludes\class-fetch-mailchimp-fields.php:147
actionwp_enqueue_scriptsincludes\class-fetch-mailchimp-fields.php:161
actionwp_enqueue_scriptsincludes\class-fetch-mailchimp-fields.php:162
Maintenance & Trust

Fetch Mailchimp Fields Maintenance & Trust

Maintenance Signals

WordPress version tested5.1.22
Last updatedMay 4, 2019
PHP min version5.6
Downloads1K

Community Trust

Rating0/100
Number of ratings0
Active installs0
Developer Profile

Fetch Mailchimp Fields Developer Profile

No Sokam

1 plugin · 0 total installs

84
trust score
Avg Security Score
85/100
Avg Patch Time
30 days
View full developer profile
Detection Fingerprints

How We Detect Fetch Mailchimp Fields

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/fetch-mailchimp-fields/public/css/fetch-mailchimp-fields-public.css/wp-content/plugins/fetch-mailchimp-fields/public/js/fetch-mailchimp-fields-public.js/wp-content/plugins/fetch-mailchimp-fields/admin/css/fetch-mailchimp-fields-admin.css/wp-content/plugins/fetch-mailchimp-fields/admin/js/fetch-mailchimp-fields-admin.js
Script Paths
/wp-content/plugins/fetch-mailchimp-fields/public/js/fetch-mailchimp-fields-public.js/wp-content/plugins/fetch-mailchimp-fields/admin/js/fetch-mailchimp-fields-admin.js
Version Parameters
fetch-mailchimp-fields/public/css/fetch-mailchimp-fields-public.css?ver=fetch-mailchimp-fields/public/js/fetch-mailchimp-fields-public.js?ver=fetch-mailchimp-fields/admin/css/fetch-mailchimp-fields-admin.css?ver=fetch-mailchimp-fields/admin/js/fetch-mailchimp-fields-admin.js?ver=

HTML / DOM Fingerprints

FAQ

Frequently Asked Questions about Fetch Mailchimp Fields