Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2026-1781
Deferred
More InfoOfficial Page
Source-security@wordfence.com
View Known Exploited Vulnerability (KEV) details
Published At-11 Mar, 2026 | 02:16
Updated At-22 Apr, 2026 | 21:27

The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.11.1. This is due to the plugin trusting the `_mc4wp_action` POST parameter without validation, allowing unauthenticated attackers to force the form to process unsubscribe actions instead of subscribe actions. This makes it possible for unauthenticated attackers to arbitrarily unsubscribe any email address from the connected Mailchimp audience via the `_mc4wp_action` parameter, granted they can obtain the form ID (which is publicly exposed in the HTML source).

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Type: Secondary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-862Secondarysecurity@wordfence.com
CWE ID: CWE-862
Type: Secondary
Source: security@wordfence.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://cwe.mitre.org/data/definitions/862.htmlsecurity@wordfence.com
N/A
https://github.com/ibericode/mailchimp-for-wordpress/commit/5fdebc2a5e22d11287d011697a6b09331bd96fa5security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/mailchimp-for-wp/tags/4.11.1/includes/forms/class-form-listener.php#L207security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/mailchimp-for-wp/tags/4.11.1/includes/forms/class-form-listener.php#L53security@wordfence.com
N/A
https://plugins.trac.wordpress.org/browser/mailchimp-for-wp/tags/4.11.1/includes/forms/class-form.php#L461security@wordfence.com
N/A
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3477825%40mailchimp-for-wp%2Ftrunk&old=3443118%40mailchimp-for-wp%2Ftrunk&sfp_email=&sfph_mail=security@wordfence.com
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/10262aa9-5656-4a2b-aeb5-060018798369?source=cvesecurity@wordfence.com
N/A
Hyperlink: https://cwe.mitre.org/data/definitions/862.html
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://github.com/ibericode/mailchimp-for-wordpress/commit/5fdebc2a5e22d11287d011697a6b09331bd96fa5
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/mailchimp-for-wp/tags/4.11.1/includes/forms/class-form-listener.php#L207
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/mailchimp-for-wp/tags/4.11.1/includes/forms/class-form-listener.php#L53
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/mailchimp-for-wp/tags/4.11.1/includes/forms/class-form.php#L461
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3477825%40mailchimp-for-wp%2Ftrunk&old=3443118%40mailchimp-for-wp%2Ftrunk&sfp_email=&sfph_mail=
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/10262aa9-5656-4a2b-aeb5-060018798369?source=cve
Source: security@wordfence.com
Resource: N/A
Change History
0Changes found
Details not found