ibericode MC4WP: Mailchimp for WordPress
Moderate fix1 remedy
cpe:2.3:a:mailchimp_for_wordpress_project:mailchimp_for_wordpress:*:*:*:*:wordpress:*:*
Moderate fix1 remedy
- <= 4.11.1
MC4WP: Mailchimp for WordPress Missing Authorization Vulnerability Allowing Unauthenticated Unsubscription
Vulnerability
Patched
A missing authorization vulnerability has been identified in the MC4WP: Mailchimp for WordPress plugin, affecting all versions through 4.11.1. The vulnerability arises because the plugin does not properly validate the '_mc4wp_action' POST parameter. This oversight allows unauthenticated attackers to manipulate the form's subscription actions, specifically by forcing the unsubscription of any email address from the connected Mailchimp audience. The form ID, which is publicly available in the HTML source, is required to exploit this vulnerability.
Impact
Exploitation of this vulnerability allows for unauthorized unsubscription of email addresses from Mailchimp lists, potentially disrupting communication or marketing efforts associated with those contacts.
Reproduction
To reproduce this vulnerability, send a POST request to a form managed by the MC4WP: Mailchimp for WordPress plugin. Include the '_mc4wp_action' parameter set to 'unsubscribe' and the form ID of the target form. The absence of authorization checks will result in the specified email address being unsubscribed from the Mailchimp list.
Remediation
Users are advised to update the MC4WP: Mailchimp for WordPress plugin to version 4.12.0 or later, where this vulnerability has been patched.
Added: Mar 11, 2026, 2:19 AM
Updated: Mar 11, 2026, 2:19 AM
Vulnerability Rating
Custom Algorithm
spread
7.6impact
0.8exploitability
7.4remediation
7.7relevance
3.8threat
4.8urgency
2.9incentive
0.0Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.