CVE-2026-1781

MEDIUM

MC4WP: Mailchimp for WordPress <=4.11.1 - Auth Bypass

Title source: llm

Description

The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.11.1. This is due to the plugin trusting the `_mc4wp_action` POST parameter without validation, allowing unauthenticated attackers to force the form to process unsubscribe actions instead of subscribe actions. This makes it possible for unauthenticated attackers to arbitrarily unsubscribe any email address from the connected Mailchimp audience via the `_mc4wp_action` parameter, granted they can obtain the form ID (which is publicly exposed in the HTML source).

References (7)

[Various Sources] https://cwe.mitre.org/data/definitions/862.html

[Patch] https://github.com/ibericode/mailchimp-for-wordpress/commit/5fdebc2a5e22d11287d011697a6b09331bd96fa5

View Patch ZIP pw:eip

[Product] https://plugins.trac.wordpress.org/browser/mailchimp-for-wp/tags/4.11.1/includes/forms/class-form-listener.php#L207

[Product] https://plugins.trac.wordpress.org/browser/mailchimp-for-wp/tags/4.11.1/includes/forms/class-form-listener.php#L53

[Product] https://plugins.trac.wordpress.org/browser/mailchimp-for-wp/tags/4.11.1/includes/forms/class-form.php#L461

[Product] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3477825%40mailchimp-for-wp%2Ftrunk&old=3443118%40mailchimp-for-wp%2Ftrunk&sfp_email=&sfph_mail=

[Third Party Advisory] https://www.wordfence.com/threat-intel/vulnerabilities/id/10262aa9-5656-4a2b-aeb5-060018798369?source=cve

Scores

CVSS v3 6.5

EPSS 0.0005

EPSS Percentile 15.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Details

CWE

CWE-862

Status published

Products (1)

dvankooten/MC4WP: Mailchimp for WordPress < 4.11.1

Published Mar 11, 2026

Tracked Since Mar 11, 2026