CVE-2026-23693 is a critical security vulnerability found in the ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor WordPress plugin, specifically in versions prior to 3.7.9. The flaw lies in the exposure of the REST API endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe, which lacks any authentication mechanism (CWE-306: Missing Authentication for Critical Function). This endpoint accepts Mailchimp API credentials supplied by the client and does not sufficiently validate key parameters such as the 'list' parameter when constructing requests to the upstream Mailchimp API. As a result, an unauthenticated attacker can exploit this endpoint as an open proxy to the Mailchimp API. This allows the attacker to trigger unauthorized API calls, potentially manipulating subscription data, exhausting the victim's Mailchimp API quotas, or causing excessive resource consumption on the WordPress server hosting the plugin. The vulnerability requires no privileges or user interaction, making exploitation straightforward. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H) indicates network attack vector, low attack complexity, no authentication or user interaction, with high impact on integrity and availability, and low impact on confidentiality. No known exploits are currently reported in the wild, but the critical severity score of 9.3 underscores the urgency for patching. The vulnerability affects all installations of the plugin before version 3.7.9, which is widely used in WordPress sites integrating Mailchimp subscription features.

The impact of CVE-2026-23693 is significant for organizations using the ElementsKit Elementor Addons plugin with Mailchimp integration. Attackers can exploit the unauthenticated REST endpoint to perform unauthorized Mailchimp API calls, which can lead to several adverse outcomes: manipulation of subscription lists (adding or removing subscribers without consent), exhaustion of Mailchimp API quotas potentially disrupting legitimate email marketing operations, and increased resource consumption on the WordPress site that may degrade performance or cause denial of service. This can damage organizational reputation, disrupt marketing campaigns, and increase operational costs. Since the vulnerability requires no authentication or user interaction, it can be exploited at scale by automated attacks. Organizations relying on this plugin for customer engagement or marketing automation are at risk of data integrity issues and service disruptions. The vulnerability also increases the attack surface of the WordPress site, potentially serving as a pivot point for further attacks.

To mitigate CVE-2026-23693, organizations should immediately update the ElementsKit Elementor Addons plugin to version 3.7.9 or later, where this vulnerability is patched. If immediate patching is not possible, administrators should restrict access to the vulnerable REST endpoint by implementing web application firewall (WAF) rules that block unauthenticated requests to /wp-json/elementskit/v1/widget/mailchimp/subscribe. Additionally, review and rotate Mailchimp API credentials to prevent misuse. Implement strict input validation and parameter sanitization on the Mailchimp integration to prevent abuse. Monitor API usage for unusual spikes that may indicate exploitation attempts. Consider disabling the Mailchimp subscription widget if it is not essential. Regularly audit WordPress plugins for updates and vulnerabilities, and employ least privilege principles for API credentials. Finally, enable logging and alerting on REST API access to detect suspicious activity promptly.