PT-2026-21554 · WordPress · Elements Kit Lite

Rahul Karne

Published

2026-02-23

Updated

2026-02-28

CVE-2026-23693

CVSS v3.1

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

Name of the Vulnerable Software and Affected Versions ElementsKit Lite WordPress plugin versions prior to 3.7.9

Description The ElementsKit Lite WordPress plugin versions prior to 3.7.9 exposes the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API credentials and insufficiently validates the list parameter when constructing upstream Mailchimp API requests. An unauthenticated attacker can abuse the endpoint as an open proxy to Mailchimp, potentially triggering unauthorized API calls, manipulating subscription data, exhausting API quotas, or causing resource consumption on the affected WordPress site.

Recommendations Update ElementsKit Lite WordPress plugin to version 3.7.9 or later.

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-306

Related Identifiers

CVE-2026-23693

Affected Products

Elements Kit Lite

PT-2026-21554 · WordPress · Elements Kit Lite

CVE-2026-23693

Weakness Enumeration

Related Identifiers

Affected Products

References · 12