Cyber Posture

CVE-2026-23693

CriticalPublic PoC

Published: 23 February 2026

Published
23 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H
EPSS Score 0.0020 41.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor (elementskit-lite) WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API credentials and insufficiently validates certain parameters, including the list…

more

parameter, when constructing upstream Mailchimp API requests. An unauthenticated attacker can abuse the endpoint as an open proxy to Mailchimp, potentially triggering unauthorized API calls, manipulating subscription data, exhausting API quotas, or causing resource consumption on the affected WordPress site.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

AC-14 directly prohibits permitting critical functions like the unauthenticated Mailchimp proxy endpoint without identification or authentication.

SC-14 Public Access Protections good match
prevent

SC-14 enforces approved authorizations on publicly accessible REST endpoints such as /wp-json/elementskit/v1/widget/mailchimp/subscribe to block unauthenticated abuse.

SI-10 Information Input Validation partial match
prevent

SI-10 mandates validation of client-supplied parameters like 'list' prior to constructing upstream Mailchimp API requests, mitigating insufficient validation exploits.

Security SummaryAI

CVE-2026-23693 affects the ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor (elementskit-lite) WordPress plugin in versions prior to 3.7.9. The vulnerability stems from an exposed REST endpoint at /wp-json/elementskit/v1/widget/mailchimp/subscribe that operates without authentication. This endpoint accepts client-supplied Mailchimp API credentials and fails to sufficiently validate parameters, such as the list parameter, when forwarding requests to the upstream Mailchimp API, effectively turning it into an open proxy. The issue is classified under CWE-306 (Missing Authentication for Critical Function) with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no privileges required. By abusing the endpoint, they can proxy arbitrary requests to Mailchimp using supplied credentials, enabling unauthorized API calls, manipulation of subscription data, exhaustion of Mailchimp API quotas, or resource consumption on the affected WordPress site through denial-of-service effects.

Mitigation involves updating the elementskit-lite plugin to version 3.7.9 or later, as indicated by the vulnerability's scope to prior versions. Additional details are available in advisories from VulnCheck and plugin documentation on wordpress.org and wpmet.com.

Details

CWE(s)
CWE-306

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
attack.mitre.org →
Why these techniques?

Unauthenticated exposed REST endpoint in public-facing WordPress plugin enables exploitation of public-facing application (T1190) and resource consumption/DoS via crafted requests (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References