The plugin does not sanitize and escape some fields in the plugin settings, which could allow high-privilege users such as an administrator to inject arbitrary web scripts even when the unfiltered_html capability is disallowed (for example in a multisite setup).
patchstack.com/database/vulnerability/mailchimp-subscribe-sm/wordpress-pluginops-optin-builder-plugin-4-0-9-1-cross-site-scripting-xss
www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/mailchimp-subscribe-sm/mailchimp-subscribe-forms-4091-authenticated-administrator-stored-cross-site-scripting