Cyber Resilience

CVE-2026-23693

CriticalPublic PoC

Published: 23 February 2026

Published
23 February 2026
Modified
15 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0038 30.1th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-23693 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 30.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-14 (Public Access Protections).

Deeper analysis

CVE-2026-23693 affects the ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor (elementskit-lite) WordPress plugin in versions prior to 3.7.9. The vulnerability stems from an exposed REST endpoint at /wp-json/elementskit/v1/widget/mailchimp/subscribe that operates without authentication. This endpoint accepts client-supplied Mailchimp API credentials and fails to sufficiently validate parameters, such as the list parameter, when forwarding requests to the upstream Mailchimp API, effectively turning it into an open proxy. The issue is classified under CWE-306 (Missing Authentication for Critical Function) with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H).

Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no privileges required. By abusing the endpoint, they can proxy arbitrary requests to Mailchimp using supplied credentials, enabling unauthorized API calls, manipulation of subscription data, exhaustion of Mailchimp API quotas, or resource consumption on the affected WordPress site through denial-of-service effects.

Mitigation involves updating the elementskit-lite plugin to version 3.7.9 or later, as indicated by the vulnerability's scope to prior versions. Additional details are available in advisories from VulnCheck and plugin documentation on wordpress.org and wpmet.com.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor (elementskit-lite) WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API credentials and insufficiently validates certain parameters, including the list…

more

parameter, when constructing upstream Mailchimp API requests. An unauthenticated attacker can abuse the endpoint as an open proxy to Mailchimp, potentially triggering unauthorized API calls, manipulating subscription data, exhausting API quotas, or causing resource consumption on the affected WordPress site.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Unauthenticated exposed REST endpoint in public-facing WordPress plugin enables exploitation of public-facing application (T1190) and resource consumption/DoS via crafted requests (T1499.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34731Shared CWE-306
CVE-2024-8053Shared CWE-306
CVE-2025-26339Shared CWE-306
CVE-2026-32296Shared CWE-306
CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-55222Shared CWE-306
CVE-2025-68715Shared CWE-306
CVE-2026-21992Shared CWE-306

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 directly prohibits permitting critical functions like the unauthenticated Mailchimp proxy endpoint without identification or authentication.

prevent

SC-14 enforces approved authorizations on publicly accessible REST endpoints such as /wp-json/elementskit/v1/widget/mailchimp/subscribe to block unauthenticated abuse.

prevent

SI-10 mandates validation of client-supplied parameters like 'list' prior to constructing upstream Mailchimp API requests, mitigating insufficient validation exploits.

References