PT-2026-21554 · WordPress · Elements Kit Lite
Rahul Karne
+1
·
Publicado
2026-02-23
·
Atualizado
2026-02-28
·
CVE-2026-23693
CVSS v3.1
10
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
ElementsKit Lite WordPress plugin versions prior to 3.7.9
Description
The ElementsKit Lite WordPress plugin versions prior to 3.7.9 exposes the REST endpoint
/wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API credentials and insufficiently validates the list parameter when constructing upstream Mailchimp API requests. An unauthenticated attacker can abuse the endpoint as an open proxy to Mailchimp, potentially triggering unauthorized API calls, manipulating subscription data, exhausting API quotas, or causing resource consumption on the affected WordPress site.Recommendations
Update ElementsKit Lite WordPress plugin to version 3.7.9 or later.
Correção
Missing Authentication
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Elements Kit Lite