CVE-2026-1303
MailChimp Campaigns <= 3.2.4 - Missing Authorization to Authenticated (Subscriber+) MailChimp App Disconnection
CVSS Score
5.3
EPSS Score
0.0%
EPSS Percentile
0th
The MailChimp Campaigns plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.2.4. This is due to missing capability checks on the `mailchimp_campaigns_manager_disconnect_app` function that is hooked to the AJAX action of the same name. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect the site from its MailChimp synchronization app, disrupting automated email campaigns and marketing integrations.
| CWE | CWE-862 |
| Vendor | matthieuscarset |
| Product | mailchimp campaigns |
| Published | Feb 14, 2026 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for matthieuscarset mailchimp campaigns
Be the first to know when new medium vulnerabilities affecting matthieuscarset mailchimp campaigns are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
matthieuscarset / MailChimp Campaigns
0 โค 3.2.4
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/c2057ec2-9f03-4ae9-b200-aa5a318b461e?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/olalaweb-mailchimp-campaign-manager/trunk/mailchimp-campaigns-manager.php#L636 plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/browser/olalaweb-mailchimp-campaign-manager/tags/3.2.4/mailchimp-campaigns-manager.php#L636
Credits
Nabil Irawan