WordPress Plugin Vulnerabilities

Simple Membership MailChimp Integration < 1.9.8 - API Key Update via CSRF

Description

The plugin does not have CSRF checks in its settings page, allowing attackers to trick a logged-in administrator into changing the configured third-party API key. Once replaced, all subsequent member registration data (name, email, membership level) is sent to the attacker-controlled account.

Proof of Concept

Affects Plugins

References

Classification

Miscellaneous

Original Researcher
Mustafa Ahmed
Submitter
Mustafa Ahmed
Submitter website
Verified
Yes

Timeline

Publicly Published
2026-04-05 (about 2 months ago)
Added
2026-05-14 (about 1 month ago)
Last Updated
2026-05-14 (about 1 month ago)

Other