PT-2026-24546 · WordPress+1 · Mc4Wp: Mailchimp For Wordpress+1

Sarawut Poolkhet

Published

2026-03-11

Updated

2026-03-11

CVE-2026-1781

CVSS v3.1

6.5

Medium

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Name of the Vulnerable Software and Affected Versions MC4WP: Mailchimp for WordPress plugin versions prior to 4.11.2

Description The MC4WP: Mailchimp for WordPress plugin for WordPress is susceptible to unauthorized access. The plugin improperly validates the mc4wp action POST parameter, allowing unauthenticated attackers to manipulate form processing. Specifically, attackers can force unsubscribe actions instead of subscribe actions. This allows arbitrary email addresses to be unsubscribed from the connected Mailchimp audience if the attacker can determine the form ID, which is exposed in the HTML source. The vulnerable parameter is mc4wp action.

Recommendations Update MC4WP: Mailchimp for WordPress plugin to version 4.11.2 or later.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-862

Related Identifiers

CVE-2026-1781

Affected Products

Mc4Wp: Mailchimp For Wordpress

Mailchimp

PT-2026-24546 · WordPress+1 · Mc4Wp: Mailchimp For Wordpress+1

CVE-2026-1781

Weakness Enumeration

Related Identifiers

Affected Products

References · 12