The vulnerability identified as CVE-2026-1303 affects the MailChimp Campaigns plugin for WordPress, specifically all versions up to and including 3.2.4. The root cause is a missing authorization check (CWE-862) on the function mailchimp_campaigns_manager_disconnect_app, which is hooked to an AJAX action of the same name. This function can be triggered by any authenticated user with at least Subscriber-level privileges, which are typically granted to low-privilege users such as commenters or registered visitors. Because the plugin fails to verify whether the user has the appropriate capabilities before executing this function, an attacker can forcibly disconnect the WordPress site from its MailChimp synchronization app. This disconnection disrupts the automated email campaign workflows and marketing integrations that depend on continuous synchronization with MailChimp. The vulnerability does not expose sensitive data or allow remote code execution but undermines the integrity of the marketing automation process. The CVSS v3.1 score is 5.3 (medium), reflecting the network attack vector, low attack complexity, no privileges required beyond authentication, and no user interaction needed. No patches or official fixes are currently linked, and no exploits have been observed in the wild as of the publication date. The vulnerability was reserved on January 21, 2026, and published on February 14, 2026.

The primary impact of CVE-2026-1303 is the disruption of marketing operations for organizations using the MailChimp Campaigns plugin on WordPress. By disconnecting the synchronization app, attackers can halt automated email campaigns, leading to missed communications, reduced customer engagement, and potential revenue loss. While this does not compromise confidential data or system availability, it affects the integrity and reliability of marketing workflows. Organizations relying heavily on automated email marketing may experience operational setbacks and reputational damage if campaigns fail unexpectedly. The ease of exploitation by low-privilege authenticated users increases the risk, especially in environments where subscriber accounts are easily created or compromised. This vulnerability could be leveraged as part of a broader attack to degrade business functions or as a nuisance attack to disrupt marketing efforts.

To mitigate this vulnerability, organizations should immediately restrict Subscriber-level user capabilities to trusted individuals only, minimizing the risk of unauthorized disconnection. Administrators should monitor user accounts and audit logs for suspicious AJAX requests related to mailchimp_campaigns_manager_disconnect_app. Applying principle of least privilege to user roles can reduce exposure. Until an official patch is released, consider implementing a Web Application Firewall (WAF) rule to block or challenge requests invoking the vulnerable AJAX action from low-privilege users. Additionally, site owners can temporarily disable or remove the MailChimp Campaigns plugin if marketing automation is not critical or if risk tolerance is low. Developers and site administrators should watch for updates from the vendor and apply patches promptly once available. Finally, educating users about the risk of account compromise and enforcing strong authentication can help prevent exploitation.