The MailChimp Campaigns plugin for WordPress contains a Missing Authorization weakness in its AJAX disconnect function. The mailchimp_campaigns_manager_disconnect_app action is called without verifying that the current user holds sufficient permissions. As a result, any authenticated user with Subscriber level or higher can trigger the endpoint and sever the site’s connection to its MailChimp integration, interrupting automated email blasts and other marketing workflows. The flaw does not enable direct access to data or code execution, but it does allow an attacker to disrupt the business’s external marketing communications.

The vulnerability affects all releases of the matthieuscarset MailChimp Campaigns plugin through version 3.2.4. WordPress sites that have installed this plugin and provide Subscriber‑level access to any user are at risk. The problem lies in the missing capability check in the PHP file mailchimp‑campaigns‑manager.php, specifically around line 636 where the disconnect function is hooked to the AJAX action of the same name. MailChimp Campaigns is the only product mentioned in the CNA records.

The CVSS score of 5.3 places the issue in the medium severity range, and the EPSS score of less than 1 % indicates that actual exploitation is currently unlikely. Because the attack vector requires only authenticated access, an attacker can trigger the exploit simply by visiting a URL or sending an AJAX request. The vulnerability is not listed in the CISA KEV catalog, so there are no known widespread attacks reported against it. Nonetheless, the ability to disable a key marketing channel could have business‑continuity implications, so a timely update is advisable.