CVE-2026-23693 in ElementsKit Lite
Summary
by MITRE • 02/23/2026
ElementsKit Lite (elementskit-lite) WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API credentials and insufficiently validates certain parameters, including the list parameter, when constructing upstream Mailchimp API requests. An unauthenticated attacker can abuse the endpoint as an open proxy to Mailchimp, potentially triggering unauthorized API calls, manipulating subscription data, exhausting API quotas, or causing resource consumption on the affected WordPress site.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/24/2026
The vulnerability identified as CVE-2026-23693 affects the ElementsKit Lite WordPress plugin, specifically targeting versions prior to 3.7.9. This issue represents a critical authentication bypass that exposes a REST API endpoint without proper access controls. The endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe serves as an entry point for malicious actors to exploit the plugin's integration with Mailchimp's API services. The vulnerability stems from insufficient input validation mechanisms that fail to properly sanitize and verify user-supplied parameters before forwarding them to external Mailchimp services. This design flaw creates a pathway for unauthorized API interactions that can be leveraged for various malicious purposes.
The technical implementation of this vulnerability involves the plugin's failure to validate the list parameter and other critical fields when processing Mailchimp API requests. When an attacker submits data to the exposed endpoint, the plugin accepts client-supplied Mailchimp API credentials without adequate verification. This insufficient validation creates a condition where an unauthenticated attacker can construct malicious requests that appear to originate from legitimate Mailchimp API calls. The vulnerability manifests as a lack of proper parameter sanitization and input validation, which are fundamental security controls that should prevent arbitrary parameter manipulation. According to CWE standards, this represents a weakness in input validation and authentication mechanisms that directly enables unauthorized access to external services.
The operational impact of this vulnerability extends beyond simple data exposure, creating potential for significant abuse scenarios that can affect both the compromised WordPress site and external Mailchimp services. Attackers can leverage the endpoint to make unauthorized API calls to Mailchimp, potentially exhausting API quotas and causing service disruption for legitimate users. The vulnerability enables resource consumption attacks where malicious actors can trigger excessive API requests that consume computational resources on the affected WordPress installation. Additionally, the exposed endpoint can be used to manipulate subscription data, potentially leading to unauthorized modifications of Mailchimp lists or subscriber information. This represents a classic case of an open proxy vulnerability that allows attackers to use the compromised WordPress site as an intermediary for external API interactions.
From a cybersecurity perspective, this vulnerability aligns with several ATT&CK techniques including T1071.004 for Application Layer Protocol and T1566 for Phishing, as attackers can use the compromised endpoint to generate spam or phishing campaigns through Mailchimp's services. The vulnerability also enables T1499.004 for Network Denial of Service by exhausting API quotas and potentially causing service degradation. Organizations should implement immediate mitigations including updating to ElementsKit Lite version 3.7.9 or later, which contains proper authentication checks and input validation. Network-level protections such as rate limiting and API endpoint monitoring can provide additional defense in depth. Security teams should also review and restrict access to REST API endpoints through WordPress configuration and consider implementing WAF rules to block suspicious parameter patterns. The vulnerability demonstrates the importance of validating all external inputs and implementing proper authentication controls for API endpoints that interact with third-party services, aligning with security best practices outlined in OWASP API Security Top 10 and NIST cybersecurity frameworks.