CVE-2026-23693

216.73.217.22

· Published 23/02/2026 21:19 · Modified 24/02/2026 19:21

Labels: CVE-2026-23693 2026-02-23 CVE-2026-23693 CWE-306 [email protected]

Essential information

Published: 23/02/2026 21:19
Modified: 24/02/2026 19:21
Author: —
Creator: —
CVSS: 9.3 CRITICAL (v3) 9.3 CRITICAL (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor (elementskit-lite) WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API credentials and insufficiently validates certain parameters, including the list parameter, when constructing upstream Mailchimp API requests. An unauthenticated attacker can abuse the endpoint as an open proxy to Mailchimp, potentially triggering unauthorized API calls, manipulating subscription data, exhausting API quotas, or causing resource consumption on the affected WordPress site.

NVD status

Status: Awaiting Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
wp-elementskit / elementskit lite	`cpe:2.3:a:wp-elementskit:elementskit_lite::::::wordpress::*`