Mailchimp for WordPress Plugin Allows Unauthenticated Unsubscribes

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.5

Mailchimp for WordPress Plugin Allows Unauthenticated Unsubscribes

CVE-2026-1781

Summary

The Mailchimp for WordPress plugin is vulnerable to a security issue that allows attackers to remove email addresses from your Mailchimp list without permission. This can happen if an attacker knows the form ID, which is easily visible in the plugin's code. To protect your list, update the plugin to the latest version.

Original title

Original description

The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.11.1. This is due to the plugin trusting the `_mc4wp_action` POST parameter without validation, allowing unauthenticated attackers to force the form to process unsubscribe actions instead of subscribe actions. This makes it possible for unauthenticated attackers to arbitrarily unsubscribe any email address from the connected Mailchimp audience via the `_mc4wp_action` parameter, granted they can obtain the form ID (which is publicly exposed in the HTML source).

nvd CVSS3.1 6.5

Vulnerability type

CWE-862 Missing Authorization

Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026