CVE-2026-1781

MEDIUM

MC4WP: Mailchimp for WordPress <=4.11.1 - Auth Bypass

Title source: llm

Description

The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.11.1. This is due to the plugin trusting the `_mc4wp_action` POST parameter without validation, allowing unauthenticated attackers to force the form to process unsubscribe actions instead of subscribe actions. This makes it possible for unauthenticated attackers to arbitrarily unsubscribe any email address from the connected Mailchimp audience via the `_mc4wp_action` parameter, granted they can obtain the form ID (which is publicly exposed in the HTML source).

References (7)

Core 7

Core References

Various Sources

https://cwe.mitre.org/data/definitions/862.html

Patch

https://github.com/ibericode/mailchimp-for-wordpress/commit/5fdebc2a5e22d11287d011697a6b09331bd96fa5

View Patch ZIP pw:eip

Product

https://plugins.trac.wordpress.org/browser/mailchimp-for-wp/tags/4.11.1/includes/forms/class-form-listener.php#L207

Product

https://plugins.trac.wordpress.org/browser/mailchimp-for-wp/tags/4.11.1/includes/forms/class-form-listener.php#L53

Product

https://plugins.trac.wordpress.org/browser/mailchimp-for-wp/tags/4.11.1/includes/forms/class-form.php#L461

Product

https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3477825%40mailchimp-for-wp%2Ftrunk&old=3443118%40mailchimp-for-wp%2Ftrunk&sfp_email=&sfph_mail=

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/10262aa9-5656-4a2b-aeb5-060018798369?source=cve

Scores

CVSS v3 6.5

EPSS 0.0008

EPSS Percentile 22.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-862

Status published

Products (1)

dvankooten/MC4WP: Mailchimp for WordPress < 4.11.1

Published Mar 11, 2026

Tracked Since Mar 11, 2026