Vulnerabilities and security researches formailchimp-for-wp mailchimp-for-wp

Jun 06, 2024

CVE, Research URL: CVE-2021-36833
Home page URL: Security reports for MC4WP: Mailchimp for WordPress
Application: MC4WP: Mailchimp for WordPress
Date: May 21, 2022
Research Description: Authenticated (admin or higher user role) Stored Cross-Site Scripting (XSS) vulnerability in ibericode's MC4WP plugin <= 4.8.6 at WordPress.
Affected versions: max 4.1.7.
Status: vulnerable

CVE, Research URL: CVE-2016-10871
Home page URL: Security reports for MC4WP: Mailchimp for WordPress
Application: MC4WP: Mailchimp for WordPress
Date: Aug 13, 2019
Research Description: The mailchimp-for-wp plugin before 4.0.11 for WordPress has XSS on the integration settings page.
Affected versions: max 4.8.5.
Status: vulnerable

CVE, Research URL: CVE-2017-18577
Home page URL: Security reports for MC4WP: Mailchimp for WordPress
Application: MC4WP: Mailchimp for WordPress
Date: Aug 22, 2019
Research Description: The mailchimp-for-wp plugin before 4.1.8 for WordPress has XSS via the return value of add_query_arg.
Affected versions: max 4.1.8.
Status: vulnerable

Jun 10, 2024

CVE, Research URL: CVE-2023-51682
Home page URL: Security reports for MC4WP: Mailchimp for WordPress
Application: MC4WP: Mailchimp for WordPress
Date: Jun 11, 2024
Research Description: Missing Authorization vulnerability in ibericode MC4WP.This issue affects MC4WP: from n/a through 4.9.9.
Affected versions: max 4.9.10.
Status: vulnerable

Sep 19, 2024

CVE, Research URL: CVE-2024-8850
Home page URL: Security reports for MC4WP: Mailchimp for WordPress
Application: MC4WP: Mailchimp for WordPress
Date: Sep 19, 2024
Research Description: The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'email' parameter when a placeholder such as {email} is used for the field in versions 4.9.9 to 4.9.16 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.
Affected versions: Min 4.9.9, max 4.9.16.
Status: vulnerable

Sep 22, 2024

CVE, Research URL: CVE-2024-8680
Home page URL: Security reports for MC4WP: Mailchimp for WordPress
Application: MC4WP: Mailchimp for WordPress
Date: Sep 21, 2024
Research Description: The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 4.9.16 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions: max 4.9.17.
Status: vulnerable

Jan 30, 2026

PSC, Research URL: PSC-2026-64599
Home page URL: Security reports for MC4WP: Mailchimp for WordPress
Application: MC4WP: Mailchimp for WordPress
Date: Jan 30, 2026
Research Description: MC4WP: Mailchimp for WordPress (v4.11.1) is widely recognized as the #1 Mailchimp integration plugin for WordPress, providing flexible signup forms and broad compatibility with popular form and commerce plugins. With Plugin Security Certification (PSC-2026-64599) from CleanTalk, MC4WP is now formally validated for secure operation in real-world WordPress environments—especially important when handling subscriber data and Mailchimp connectivity.
Affected versions: Min 4.12.1, max 4.12.1.
Status: SAFE & CERTIFIED

Apr 14, 2026

CVE, Research URL: CVE-2026-1781
Home page URL: Security reports for MC4WP: Mailchimp for WordPress
Application: MC4WP: Mailchimp for WordPress
Date: Mar 11, 2026
Research Description: The MC4WP: Mailchimp for WordPress plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 4.11.1. This is due to the plugin trusting the `_mc4wp_action` POST parameter without validation, allowing unauthenticated attackers to force the form to process unsubscribe actions instead of subscribe actions. This makes it possible for unauthenticated attackers to arbitrarily unsubscribe any email address from the connected Mailchimp audience via the `_mc4wp_action` parameter, granted they can obtain the form ID (which is publicly exposed in the HTML source).
Affected versions: max 4.12.0.
Status: vulnerable