CVE-2026-23693

ElementsKit Lite < 3.7.9 Unauthenticated Mailchimp REST Endpoint

Assigner: VulnCheck
Reserved: 14.01.2026 Published: 23.02.2026 Updated: 23.02.2026

ElementsKit Lite (elementskit-lite) WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API credentials and insufficiently validates certain parameters, including the list parameter, when constructing upstream Mailchimp API requests. An unauthenticated attacker can abuse the endpoint as an open proxy to Mailchimp, potentially triggering unauthorized API calls, manipulating subscription data, exhausting API quotas, or causing resource consumption on the affected WordPress site.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H
CVSS Score: 9.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	Low	Confidentiality	Low
Attack Complexity	Low	Integrity	High	Integrity	High
Attack Requirements	None	Availability	High	Availability	High
Privileges Required	None
User Interaction	None

CVSS 4.0

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
CVSS Score: 10

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	High
User Interaction	None	Availability Impact	High

CVSS 3.1

Product Status

Vendor	Roxnor
Product	ElementsKit Lite
Versions	Default: unaffected affected from 0 to 3.7.9 (excl.)

Vendor

Roxnor

Product

ElementsKit Lite

Versions

Default: unaffected

affected from 0 to 3.7.9 (excl.)

Credits

Rahul Karne finder
VulnCheck coordinator

References

Problem Types