Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
ElementsKit Elementor Addons plugin exposes sensitive data without password
CVE-2026-23693
Summary
A security flaw in the ElementsKit Elementor Addons WordPress plugin allows an attacker to access and manipulate sensitive data without a password. This can lead to unauthorized actions, such as sending emails or modifying user subscriptions, and potentially cause problems for the website. To fix this issue, update the plugin to version 3.7.9 or later.
Original title
ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor (elementskit-lite) WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/...
Original description
ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor (elementskit-lite) WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API credentials and insufficiently validates certain parameters, including the list parameter, when constructing upstream Mailchimp API requests. An unauthenticated attacker can abuse the endpoint as an open proxy to Mailchimp, potentially triggering unauthorized API calls, manipulating subscription data, exhausting API quotas, or causing resource consumption on the affected WordPress site.
nvd CVSS3.1
10.0
nvd CVSS4.0
9.3
Vulnerability type
CWE-306
Missing Authentication for Critical Function
Published: 23 Feb 2026 · Updated: 12 Mar 2026 · First seen: 6 Mar 2026