Description
The Mailchimp List Subscribe Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.0. This is due to missing or incorrect nonce validation on the mailchimp_sf_change_list_if_necessary() function. This makes it possible for unauthenticated attackers to change Mailchimp lists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-02-19
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: CSRF‑based unauthorized modification of Mailchimp list settings
Action: Patch
AI Analysis

Impact

The Mailchimp List Subscribe Form plugin for WordPress contains a Cross‑Site Request Forgery flaw due to missing or incorrect nonce validation in the mailchimp_sf_change_list_if_necessary() function. This flaw allows an unauthenticated attacker, by tricking a site administrator into clicking a forged link, to change the Mailchimp list that the form subscribes to. The change can redirect subscriptions to an attacker‑controlled list, potentially compromising email data integrity and trust.

Affected Systems

All installations of the Mailchimp List Subscribe Form plugin for WordPress up to and including version 2.0.0 are affected. No specific smaller sub‑versions are listed, so any release with a version number of 2.0.0 or earlier is vulnerable.

Risk and Exploitability

The vulnerability rates a moderate CVSS score of 4.3 and a very low EPSS score of < 1 %. It is not listed in the CISA KEV catalog. Because the attack requires an authenticated administrator to interact with a forged request, the attacker’s success hinges on social engineering or user interaction. Once successful, the attacker gains the ability to alter list configuration, providing a channel to redistribute or harvest subscriber data.

Generated by OpenCVE AI on April 22, 2026 at 11:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Mailchimp List Subscribe Form plugin to the latest stable release that removes the CSRF vulnerability.
  • If an update is not yet available, temporarily disable the list change function for administrative users or use access restrictions until a patch is released.
  • Monitor incoming requests to the list‑change endpoint and review logs for unexpected activity to detect potential exploitation attempts.

Generated by OpenCVE AI on April 22, 2026 at 11:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 01:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Mailchimp
Mailchimp mailchimp List Subscribe Form
Wordpress
Wordpress wordpress
Vendors & Products Mailchimp
Mailchimp mailchimp List Subscribe Form
Wordpress
Wordpress wordpress

Thu, 19 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Description The Mailchimp List Subscribe Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.0. This is due to missing or incorrect nonce validation on the mailchimp_sf_change_list_if_necessary() function. This makes it possible for unauthenticated attackers to change Mailchimp lists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title Mailchimp List Subscribe Form <= 2.0.0 - Cross-Site Request Forgery to Mailchimp List Change
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Mailchimp Mailchimp List Subscribe Form
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:47:49.135Z

Reserved: 2025-10-24T14:55:13.389Z

Link: CVE-2025-12172

cve-icon Vulnrichment

Updated: 2026-02-19T17:04:39.011Z

cve-icon NVD

Status : Deferred

Published: 2026-02-19T07:17:27.673

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12172

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T12:00:05Z

Weaknesses