CVE-2026-1303
Missing Authorization in MailChimp Campaigns Plugin Allows Disruption
Publication date: 2026-02-14
Last updated on: 2026-02-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| olalaweb | mailchimp_campaigns_manager | to 3.2.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The MailChimp Campaigns plugin for WordPress has a vulnerability called Missing Authorization in all versions up to and including 3.2.4. This happens because the function mailchimp_campaigns_manager_disconnect_app, which is triggered by an AJAX action of the same name, does not properly check user capabilities.
As a result, any authenticated user with Subscriber-level access or higher can disconnect the WordPress site from its MailChimp synchronization app without proper permission checks.
This unauthorized disconnection disrupts automated email campaigns and marketing integrations that rely on MailChimp synchronization.
How can this vulnerability impact me? :
This vulnerability allows attackers with even low-level authenticated access (Subscriber or above) to disconnect your WordPress site from the MailChimp synchronization app.
The impact is primarily on the integrity and availability of your automated email campaigns and marketing integrations, which will be disrupted.
While it does not directly compromise data confidentiality or availability of the site itself, it can interrupt marketing workflows and potentially affect business communications.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves missing authorization checks in the MailChimp Campaigns plugin for WordPress, specifically in the AJAX action 'mailchimp_campaigns_manager_disconnect_app'. Detection would involve monitoring for unauthorized AJAX requests to this action, especially those initiated by users with Subscriber-level access or above.
Since the vulnerability allows authenticated users with low privileges to disconnect the MailChimp synchronization app, you can detect exploitation attempts by checking your web server or WordPress logs for POST requests to admin-ajax.php with the action parameter set to 'mailchimp_campaigns_manager_disconnect_app'.
Example command to search web server logs (assuming Apache logs and typical log location):
- grep 'action=mailchimp_campaigns_manager_disconnect_app' /var/log/apache2/access.log
Additionally, within WordPress, you can enable logging of AJAX requests or use security plugins that monitor suspicious AJAX activity.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, the immediate step is to update the MailChimp Campaigns plugin to a version later than 3.2.4 where the missing authorization checks are fixed.
If an update is not immediately available, you should restrict access to the AJAX action 'mailchimp_campaigns_manager_disconnect_app' by implementing additional capability checks or disabling the plugin temporarily to prevent unauthorized disconnection of the MailChimp synchronization app.
Also, review user roles and permissions to ensure that only trusted users have Subscriber-level access or higher, as the vulnerability requires at least Subscriber-level authentication.