CVE-2026-1303 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the MailChimp Campaigns plugin for WordPress, versions up to and including 3.2.4. The root cause is the absence of proper capability checks in the mailchimp_campaigns_manager_disconnect_app function, which is hooked to an AJAX action of the same name. This function can be invoked by any authenticated user with Subscriber-level privileges or higher, allowing them to disconnect the WordPress site from its MailChimp synchronization app. This disconnection interrupts the automated email campaign workflows and marketing integrations that rely on MailChimp synchronization, potentially causing business disruption. The vulnerability does not expose sensitive data or allow for privilege escalation but impacts the integrity of marketing operations. The CVSS v3.1 score is 5.3 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required beyond subscriber access, and no user interaction needed. No patches are currently linked, and no known exploits are reported in the wild. The vulnerability highlights the importance of enforcing proper authorization checks on AJAX endpoints in WordPress plugins, especially those managing critical integrations.

For European organizations using the MailChimp Campaigns plugin, this vulnerability can disrupt marketing automation by allowing low-privilege authenticated users to sever the connection to MailChimp. This disruption can lead to missed or delayed email campaigns, impacting customer engagement, sales, and brand reputation. While it does not directly compromise confidential data or system availability, the interruption of marketing workflows can have significant operational and financial consequences, especially for e-commerce, retail, and service sectors heavily reliant on email marketing. Organizations with large user bases or multiple contributors with subscriber-level access are at higher risk. The impact is primarily on the integrity and availability of marketing functions rather than on core IT infrastructure or data confidentiality.

1. Immediately restrict access to the AJAX action mailchimp_campaigns_manager_disconnect_app by implementing server-side capability checks or limiting it to trusted roles only (e.g., administrators). 2. Monitor and audit user roles and permissions to ensure that only trusted users have subscriber-level or higher access, minimizing the attack surface. 3. Disable or remove the MailChimp Campaigns plugin if it is not essential or if a patch is not yet available. 4. Implement web application firewall (WAF) rules to detect and block unauthorized AJAX requests targeting this function. 5. Stay alert for official patches or updates from the plugin vendor and apply them promptly once released. 6. Educate site administrators and users about the risks of granting unnecessary permissions and enforce the principle of least privilege. 7. Regularly review and harden WordPress security configurations, including limiting plugin access and monitoring plugin behavior.