The MC4WP: Mailchimp for WordPress plugin suffers from a Missing Authorization vulnerability (CWE-862) identified as CVE-2026-1781, affecting all versions up to and including 4.11.1. The root cause is the plugin's failure to validate the _mc4wp_action POST parameter, which controls whether the form processes subscription or unsubscription actions. Because the form ID required to trigger this action is publicly available in the HTML source, an unauthenticated attacker can craft POST requests that force the form to unsubscribe any email address from the connected Mailchimp audience. This bypasses intended authorization controls, allowing manipulation of mailing lists without user consent or authentication. The vulnerability impacts the integrity and availability of mailing list data but does not disclose confidential information. The CVSS 3.1 base score is 6.5 (medium), reflecting network exploitability without privileges or user interaction, and partial impact on integrity and availability. No patches or official fixes are linked yet, and no known exploits have been reported in the wild. The vulnerability is significant due to the widespread use of the MC4WP plugin among WordPress sites integrating Mailchimp for email marketing, potentially affecting numerous organizations globally.

This vulnerability allows attackers to arbitrarily unsubscribe email addresses from Mailchimp audiences, undermining the integrity of mailing lists and potentially disrupting marketing campaigns and communications. Organizations relying on Mailchimp for customer engagement, newsletters, or transactional emails may experience reduced reach and effectiveness due to unauthorized unsubscriptions. This can lead to loss of customer trust, reduced revenue from marketing efforts, and increased operational overhead to identify and remediate affected contacts. Although no direct confidentiality breach occurs, the availability and integrity of subscriber data are compromised. The ease of exploitation (no authentication or user interaction required) and the public exposure of form IDs increase the risk of automated or large-scale abuse. Organizations with high dependency on email marketing and customer communications are particularly vulnerable to reputational damage and operational disruption.

Organizations should immediately verify if they use the MC4WP: Mailchimp for WordPress plugin and identify affected versions (up to 4.11.1). Since no official patch links are provided, administrators should monitor vendor channels for updates and apply patches promptly once available. In the interim, implement strict server-side validation of the _mc4wp_action POST parameter to ensure only authorized actions are processed. Restrict access to subscription management endpoints using web application firewalls (WAFs) or IP whitelisting where feasible. Employ rate limiting to reduce the risk of automated abuse. Review and audit Mailchimp audience lists for suspicious unsubscription activity and consider re-subscribing legitimate contacts. Additionally, consider implementing CAPTCHA or other anti-automation controls on subscription forms to hinder exploitation. Regularly monitor logs for anomalous POST requests targeting the _mc4wp_action parameter. Finally, educate marketing and IT teams about this vulnerability to ensure rapid response and mitigation.