CVE-2026-1781

The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.11.1. This is due to the plugin trusting the `_mc4wp_action` POST parameter without validation, allowing unauthenticated attackers to force the form to process unsubscribe actions instead of subscribe actions. This makes it possible for unauthenticated attackers to arbitrarily unsubscribe any email address from the connected Mailchimp audience via the `_mc4wp_action` parameter, granted they can obtain the form ID (which is publicly exposed in the HTML source).

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

References

Link	Resource
https://cwe.mitre.org/data/definitions/862.html
https://github.com/ibericode/mailchimp-for-wordpress/commit/5fdebc2a5e22d11287d011697a6b09331bd96fa5
https://plugins.trac.wordpress.org/browser/mailchimp-for-wp/tags/4.11.1/includes/forms/class-form-listener.php#L207
https://plugins.trac.wordpress.org/browser/mailchimp-for-wp/tags/4.11.1/includes/forms/class-form-listener.php#L53
https://plugins.trac.wordpress.org/browser/mailchimp-for-wp/tags/4.11.1/includes/forms/class-form.php#L461
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3477825%40mailchimp-for-wp%2Ftrunk&old=3443118%40mailchimp-for-wp%2Ftrunk&sfp_email=&sfph_mail=
https://www.wordfence.com/threat-intel/vulnerabilities/id/10262aa9-5656-4a2b-aeb5-060018798369?source=cve

Configurations

No configuration.

History

11 Mar 2026, 13:52

Type	Values Removed	Values Added
Summary		(es) El plugin de WordPress MC4WP: Mailchimp for WordPress es vulnerable a la falta de autorización en todas las versiones hasta la 4.11.1, inclusive. Esto se debe a que el plugin confía en el parámetro POST '_mc4wp_action' sin validación, lo que permite a atacantes no autenticados forzar al formulario a procesar acciones de desuscripción en lugar de acciones de suscripción. Esto hace posible que atacantes no autenticados desuscriban arbitrariamente cualquier dirección de correo electrónico de la audiencia de Mailchimp conectada a través del parámetro '_mc4wp_action', siempre que puedan obtener el ID del formulario (que está expuesto públicamente en el código fuente HTML).

11 Mar 2026, 02:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-11 02:16

Updated : 2026-03-11 13:52

NVD link : CVE-2026-1781

Mitre link : CVE-2026-1781

CVE.ORG link : CVE-2026-1781

JSON object : View

Products Affected

No product.

CWE

CWE-862

Missing Authorization

6.5 /10