{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1303", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-21T18:58:37.641Z", "datePublished": "2026-02-14T06:42:33.704Z", "dateUpdated": "2026-04-08T17:19:59.377Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:59.377Z"}, "affected": [{"vendor": "matthieuscarset", "product": "MailChimp Campaigns", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.2.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The MailChimp Campaigns plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.2.4. This is due to missing capability checks on the `mailchimp_campaigns_manager_disconnect_app` function that is hooked to the AJAX action of the same name. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect the site from its MailChimp synchronization app, disrupting automated email campaigns and marketing integrations."}], "title": "MailChimp Campaigns <= 3.2.4 - Missing Authorization to Authenticated (Subscriber+) MailChimp App Disconnection", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2057ec2-9f03-4ae9-b200-aa5a318b461e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/olalaweb-mailchimp-campaign-manager/trunk/mailchimp-campaigns-manager.php#L636"}, {"url": "https://plugins.trac.wordpress.org/browser/olalaweb-mailchimp-campaign-manager/tags/3.2.4/mailchimp-campaigns-manager.php#L636"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2026-02-13T18:28:49.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-17T15:39:10.427525Z", "id": "CVE-2026-1303", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:45:49.081Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1303", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-17T15:39:10.427525Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-17T15:39:11.103Z"}}], "cna": {"title": "MailChimp Campaigns <= 3.2.4 - Missing Authorization to Authenticated (Subscriber+) MailChimp App Disconnection", "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "matthieuscarset", "product": "MailChimp Campaigns", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.2.4"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-02-13T18:28:49.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2057ec2-9f03-4ae9-b200-aa5a318b461e?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/olalaweb-mailchimp-campaign-manager/trunk/mailchimp-campaigns-manager.php#L636"}, {"url": "https://plugins.trac.wordpress.org/browser/olalaweb-mailchimp-campaign-manager/tags/3.2.4/mailchimp-campaigns-manager.php#L636"}], "descriptions": [{"lang": "en", "value": "The MailChimp Campaigns plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.2.4. This is due to missing capability checks on the `mailchimp_campaigns_manager_disconnect_app` function that is hooked to the AJAX action of the same name. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect the site from its MailChimp synchronization app, disrupting automated email campaigns and marketing integrations."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:59.377Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1303", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:19:59.377Z", "dateReserved": "2026-01-21T18:58:37.641Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-14T06:42:33.704Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The MailChimp Campaigns plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.2.4. This is due to missing capability checks on the `mailchimp_campaigns_manager_disconnect_app` function that is hooked to the AJAX action of the same name. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect the site from its MailChimp synchronization app, disrupting automated email campaigns and marketing integrations."}, {"lang": "es", "value": "El plugin MailChimp Campaigns para WordPress es vulnerable a la falta de autorizaci\u00f3n en todas las versiones hasta la 3.2.4, inclusive. Esto se debe a la falta de comprobaciones de capacidad en la funci\u00f3n 'mailchimp_campaigns_manager_disconnect_app' que est\u00e1 conectada a la acci\u00f3n AJAX del mismo nombre. Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, desconecten el sitio de su aplicaci\u00f3n de sincronizaci\u00f3n de MailChimp, interrumpiendo las campa\u00f1as de correo electr\u00f3nico automatizadas y las integraciones de marketing."}], "id": "CVE-2026-1303", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-14T07:16:09.970", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/olalaweb-mailchimp-campaign-manager/tags/3.2.4/mailchimp-campaigns-manager.php#L636"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/olalaweb-mailchimp-campaign-manager/trunk/mailchimp-campaigns-manager.php#L636"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c2057ec2-9f03-4ae9-b200-aa5a318b461e?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,3.2.4]"}}], "product": "mailchimp_campaigns", "vendor": "matthieuscarset"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T18:27:08.265212+00:00", "value": {"mitigation_remediation": ["Update the MailChimp Campaigns plugin to the latest release that includes the missing capability check fix.", "If an update cannot be applied immediately, temporarily block or disable the mailchimp_campaigns_manager_disconnect_app AJAX endpoint for non\u2011administrator users, or implement a custom filter that requires administrator capability to reach the endpoint.", "Review and harden WordPress role permissions so that only administrator or super\u2011administrator users can access sensitive mail\u2011integration actions, and reduce or remove Subscriber and Editor roles from any exposed endpoint."], "summary": {"action": "Patch Required", "impact": "Disruption of MailChimp integration via unauthorized disconnection"}, "threat_synthesis": {"affected_systems": "The vulnerability affects all releases of the matthieuscarset MailChimp Campaigns plugin through version 3.2.4. WordPress sites that have installed this plugin and provide Subscriber\u2011level access to any user are at risk. The problem lies in the missing capability check in the PHP file mailchimp\u2011campaigns\u2011manager.php, specifically around line 636 where the disconnect function is hooked to the AJAX action of the same name. MailChimp Campaigns is the only product mentioned in the CNA records.", "description_and_impact": "The MailChimp Campaigns plugin for WordPress contains a Missing Authorization weakness in its AJAX disconnect function. The mailchimp_campaigns_manager_disconnect_app action is called without verifying that the current user holds sufficient permissions. As a result, any authenticated user with Subscriber level or higher can trigger the endpoint and sever the site\u2019s connection to its MailChimp integration, interrupting automated email blasts and other marketing workflows. The flaw does not enable direct access to data or code execution, but it does allow an attacker to disrupt the business\u2019s external marketing communications.", "risk_and_exploitability": "The CVSS score of 5.3 places the issue in the medium severity range, and the EPSS score of less than 1\u202f% indicates that actual exploitation is currently unlikely. Because the attack vector requires only authenticated access, an attacker can trigger the exploit simply by visiting a URL or sending an AJAX request. The vulnerability is not listed in the CISA KEV catalog, so there are no known widespread attacks reported against it. Nonetheless, the ability to disable a key marketing channel could have business\u2011continuity implications, so a timely update is advisable."}}}}, "created": "2026-02-16T12:02:07.235856+00:00", "updated": "2026-04-15T18:30:10.952456+00:00", "vendors": ["matthieuscarset", "matthieuscarset$PRODUCT$mailchimp_campaigns", "wordpress", "wordpress$PRODUCT$wordpress"]}