Description
ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor (elementskit-lite) WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API credentials and insufficiently validates certain parameters, including the list parameter, when constructing upstream Mailchimp API requests. An unauthenticated attacker can abuse the endpoint as an open proxy to Mailchimp, potentially triggering unauthorized API calls, manipulating subscription data, exhausting API quotas, or causing resource consumption on the affected WordPress site.
Published: 2026-02-23
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Mailchimp API Abuse
Action: Apply Patch
AI Analysis

Impact

The vulnerability resides in the ElementsKit Elementor Addons WordPress plugin, affecting versions earlier than 3.7.9. It exposes the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without requiring authentication. An attacker can supply arbitrary Mailchimp API credentials and craft requests that the plugin forwards to the Mailchimp service. Because the plugin does not validate important parameters such as the list identifier, the endpoint can be used as an open proxy to perform unauthorized API operations, including adding or removing subscribers, altering list contents, or exhausting the victim’s Mailchimp account limits. The result is unauthorized data manipulation, potential spam, and increased resource usage on the affected WordPress site.

Affected Systems

The affected product is the ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor plugin developed by Roxnor. All deployed installations running a version earlier than 3.7.9 are susceptible. No specific sub‑versions are further narrowed by the advisory.

Risk and Exploitability

The CVSS score of 9.3 signals a high‑risk flaw. The EPSS indicates that the probability of exploitation is currently very low, as shown by the < 1% score. The vulnerability is not listed in CISA’s KEV catalog. The exploitable path involves sending crafted HTTP requests to the unauthenticated REST endpoint over the public network, which is possible from any host with internet access. Because the attacker does not need privileged credentials on the WordPress server, the threat landscape is broad and the potential impact spans unauthorized email marketing activity, quota depletion, and unintended service consumption.

Generated by OpenCVE AI on April 17, 2026 at 16:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the ElementsKit Elementor Addons plugin to version 3.7.9 or later, which removes the unauthenticated Mailchimp API endpoint.
  • If an update is not immediately possible, block access to the endpoint by configuring the web server or a security plugin to deny requests for /wp-json/elementskit/v1/widget/mailchimp/subscribe.
  • Apply rate‑limiting or firewall rules to limit the number of requests to the plugin’s REST routes, reducing the risk of abuse.
  • Verify that no remnants of the plugin’s legacy endpoint remain in custom code or child themes.
  • Monitor the WordPress REST API logs for unexpected calls to the mailchimp subscription route and review Mailchimp account activity for anomalies.

Generated by OpenCVE AI on April 17, 2026 at 16:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 25 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 24 Feb 2026 19:00:00 +0000

Type Values Removed Values Added
Description ElementsKit Lite (elementskit-lite) WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API credentials and insufficiently validates certain parameters, including the list parameter, when constructing upstream Mailchimp API requests. An unauthenticated attacker can abuse the endpoint as an open proxy to Mailchimp, potentially triggering unauthorized API calls, manipulating subscription data, exhausting API quotas, or causing resource consumption on the affected WordPress site. ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor (elementskit-lite) WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API credentials and insufficiently validates certain parameters, including the list parameter, when constructing upstream Mailchimp API requests. An unauthenticated attacker can abuse the endpoint as an open proxy to Mailchimp, potentially triggering unauthorized API calls, manipulating subscription data, exhausting API quotas, or causing resource consumption on the affected WordPress site.
Title ElementsKit Lite < 3.7.9 Unauthenticated Mailchimp REST Endpoint ElementsKit Elementor Addons < 3.7.9 Unauthenticated Mailchimp REST Endpoint

Tue, 24 Feb 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Roxnor
Roxnor elementskit Lite
Wordpress
Wordpress wordpress
Vendors & Products Roxnor
Roxnor elementskit Lite
Wordpress
Wordpress wordpress

Mon, 23 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description ElementsKit Lite (elementskit-lite) WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API credentials and insufficiently validates certain parameters, including the list parameter, when constructing upstream Mailchimp API requests. An unauthenticated attacker can abuse the endpoint as an open proxy to Mailchimp, potentially triggering unauthorized API calls, manipulating subscription data, exhausting API quotas, or causing resource consumption on the affected WordPress site.
Title ElementsKit Lite < 3.7.9 Unauthenticated Mailchimp REST Endpoint
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 10, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H'}

Subscriptions

Roxnor Elementskit Lite
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-02-25T15:10:22.725Z

Reserved: 2026-01-14T20:09:32.352Z

Link: CVE-2026-23693

cve-icon Vulnrichment

Updated: 2026-02-25T15:10:15.231Z

cve-icon NVD

Status : Deferred

Published: 2026-02-23T21:19:10.157

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-23693

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T16:15:22Z

Weaknesses