CVE-2026-23693
CRITICALElementsKit Lite <3.7.9 - Unauthenticated Mailchimp API Proxy Abuse
Title source: manualDescription
ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor (elementskit-lite) WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API credentials and insufficiently validates certain parameters, including the list parameter, when constructing upstream Mailchimp API requests. An unauthenticated attacker can abuse the endpoint as an open proxy to Mailchimp, potentially triggering unauthorized API calls, manipulating subscription data, exhausting API quotas, or causing resource consumption on the affected WordPress site.
References (3)
Core 3
Core References
Product product
patch
https://wordpress.org/plugins/elementskit-lite/
Various Sources product
https://wpmet.com/plugin/elementskit/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/elementskit-lite-unauthenticated-mailchimp-rest-endpoint
Scores
CVSS v3
10.0
EPSS
0.0038
EPSS Percentile
30.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-306
Status
published
Products (1)
Roxnor/ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor
< 3.7.9
Published
Feb 23, 2026
Tracked Since
Feb 23, 2026