Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

mailchimp

Source -

NVDCNA

BOS Name -

N/A

CNA CVEs -

1

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

3
Related CVEsRelated ProductsRelated AssignersReports
4Vulnerabilities found
CVE-2025-12172
Assigner-Wordfence
ShareView Details
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.02% / 4.67%
||
7 Day CHG~0.00%
Published-19 Feb, 2026 | 03:25
Updated-08 Apr, 2026 | 16:47
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mailchimp List Subscribe Form <= 2.0.0 - Cross-Site Request Forgery to Mailchimp List Change

The Mailchimp List Subscribe Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.0. This is due to missing or incorrect nonce validation on the mailchimp_sf_change_list_if_necessary() function. This makes it possible for unauthenticated attackers to change Mailchimp lists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Action-Not Available
Vendor-mailchimp
Product-Mailchimp List Subscribe Form
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CVE-2022-2556
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-2.7||LOW
EPSS-0.23% / 45.88%
||
7 Day CHG~0.00%
Published-29 Aug, 2022 | 17:15
Updated-03 Aug, 2024 | 00:39
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MailChimp for Woocommerce < 2.7.2 - Admin+ SSRF

The Mailchimp for WooCommerce WordPress plugin before 2.7.2 has an AJAX action that allows high privilege users to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example

Action-Not Available
Vendor-mailchimpUnknown
Product-mailchimp_for_woocommerceMailchimp for WooCommerce
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2022-2267
Assigner-WPScan
ShareView Details
Assigner-WPScan
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 43.42%
||
7 Day CHG~0.00%
Published-29 Aug, 2022 | 17:15
Updated-03 Aug, 2024 | 00:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MailChimp for Woocommerce < 2.7.1 - Subscriber+ SSRF

The Mailchimp for WooCommerce WordPress plugin before 2.7.1 has an AJAX action that allows any logged in users (such as subscriber) to perform a POST request on behalf of the server to the internal network/LAN, the body of the request is also appended to the response so it can be used to scan private network for example

Action-Not Available
Vendor-mailchimpUnknown
Product-mailchimp_for_woocommerceMailchimp for WooCommerce
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2014-7152
Assigner-MITRE Corporation
ShareView Details
Assigner-MITRE Corporation
CVSS Score-4.3||MEDIUM
EPSS-0.17% / 37.76%
||
7 Day CHG~0.00%
Published-26 Sep, 2014 | 21:00
Updated-06 May, 2026 | 22:30
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Cross-site scripting (XSS) vulnerability in the Easy MailChimp Forms plugin 3.0 through 5.0.6 for WordPress allows remote attackers to inject arbitrary web script or HTML via the update_options action to wp-admin/admin-ajax.php.

Action-Not Available
Vendor-mailchimpn/a
Product-easy_mailchimp_forms_pluginn/a
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')