ElementsKit Lite WordPress Plugin Unauthenticated Mailchimp REST Endpoint Vulnerability

A vulnerability exists in the ElementsKit Lite WordPress plugin, specifically in versions prior to 3.7.9. The issue arises from the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe, which is exposed without authentication. This endpoint allows users to send Mailchimp API credentials and has inadequate validation of certain parameters, particularly the list parameter, when making requests to the Mailchimp API. As a result, an unauthenticated attacker could exploit this endpoint as an open proxy to Mailchimp, potentially leading to unauthorized API calls, manipulation of subscription data, exhaustion of API quotas, or increased resource consumption on the WordPress site.

Impact

Exploitation of this vulnerability could result in unauthorized Mailchimp API interactions, including manipulation of subscription information and depletion of API usage limits. Additionally, it could cause increased resource usage on the affected WordPress site.