MC4WP: Mailchimp for WordPress < 4.12.0 – Unauthenticated Arbitrary Subscription Deletion | CVE 2026-1781 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Missing Authorization due to the plugin trusting the `_mc4wp_action` POST parameter without validation, allowing unauthenticated attackers to force the form to process unsubscribe actions instead of subscribe actions. This makes it possible for unauthenticated attackers to arbitrarily unsubscribe any email address from the connected Mailchimp audience via the `_mc4wp_action` parameter, granted they can obtain the form ID (which is publicly exposed in the HTML source).

Affects Plugins

mailchimp-for-wp

Fixed in 4.12.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/10262aa9-5656-4a2b-aeb5-060018798369

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Sarawut Poolkhet (MisterHelloz)

Verified

No

WPVDB ID

909e34d5-710f-49fd-8188-ee0ecd1522ac

Timeline

Publicly Published

2026-03-10 (about 26 days ago)

Added

2026-03-10 (about 25 days ago)

Last Updated

2026-03-10 (about 25 days ago)

Other

Published

Title

Published

2024-03-13

Title

Cryptocurrency Widgets – Price Ticker & Coins List < 2.6.9 - Missing Authorization

Published

2024-11-18

Title

Google for WooCommerce < 2.8.7 - Information Disclosure via Publicly Accessible PHP Info File

Published

2025-12-04

Title

AdForest < 6.0.12 - Missing Authorization

Published

2025-11-03

Title

Simple User Capabilities <= 1.0 - Missing Authorization to Unauthenticated Capability Reset

Published

2023-09-05

Title

Analytify Dashboard < 5.1.1 - Missing Authorization to Opt-In