CVE-2026-23693
ElementsKit Elementor Addons < 3.7.9 Unauthenticated Mailchimp REST Endpoint
ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor (elementskit-lite) WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API credentials and insufficiently validates certain parameters, including the list parameter, when constructing upstream Mailchimp API requests. An unauthenticated attacker can abuse the endpoint as an open proxy to Mailchimp, potentially triggering unauthorized API calls, manipulating subscription data, exhausting API quotas, or causing resource consumption on the affected WordPress site.
| CWE | CWE-306 |
| Vendor | roxnor |
| Product | elementskit elementor addons – advanced widgets & templates addons for elementor |
| Published | Feb 23, 2026 |
| Last Updated | Feb 25, 2026 |
Get instant alerts for roxnor elementskit elementor addons – advanced widgets & templates addons for elementor
Be the first to know when new critical vulnerabilities affecting roxnor elementskit elementor addons – advanced widgets & templates addons for elementor are published — delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H