CVE-2026-23693
Published: 23 February 2026
Summary
CVE-2026-23693 is a critical-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Wordpress (inferred from references). Its CVSS base score is 10.0 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 41.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and SC-14 (Public Access Protections).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 directly prohibits permitting critical functions like the unauthenticated Mailchimp proxy endpoint without identification or authentication.
SC-14 enforces approved authorizations on publicly accessible REST endpoints such as /wp-json/elementskit/v1/widget/mailchimp/subscribe to block unauthenticated abuse.
SI-10 mandates validation of client-supplied parameters like 'list' prior to constructing upstream Mailchimp API requests, mitigating insufficient validation exploits.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated exposed REST endpoint in public-facing WordPress plugin enables exploitation of public-facing application (T1190) and resource consumption/DoS via crafted requests (T1499.004).
NVD Description
ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor (elementskit-lite) WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API credentials and insufficiently validates certain parameters, including the list…
more
parameter, when constructing upstream Mailchimp API requests. An unauthenticated attacker can abuse the endpoint as an open proxy to Mailchimp, potentially triggering unauthorized API calls, manipulating subscription data, exhausting API quotas, or causing resource consumption on the affected WordPress site.
Deeper analysisAI
CVE-2026-23693 affects the ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor (elementskit-lite) WordPress plugin in versions prior to 3.7.9. The vulnerability stems from an exposed REST endpoint at /wp-json/elementskit/v1/widget/mailchimp/subscribe that operates without authentication. This endpoint accepts client-supplied Mailchimp API credentials and fails to sufficiently validate parameters, such as the list parameter, when forwarding requests to the upstream Mailchimp API, effectively turning it into an open proxy. The issue is classified under CWE-306 (Missing Authentication for Critical Function) with a CVSS v3.1 base score of 10.0 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H).
Unauthenticated attackers can exploit this vulnerability remotely over the network with low complexity and no privileges required. By abusing the endpoint, they can proxy arbitrary requests to Mailchimp using supplied credentials, enabling unauthorized API calls, manipulation of subscription data, exhaustion of Mailchimp API quotas, or resource consumption on the affected WordPress site through denial-of-service effects.
Mitigation involves updating the elementskit-lite plugin to version 3.7.9 or later, as indicated by the vulnerability's scope to prior versions. Additional details are available in advisories from VulnCheck and plugin documentation on wordpress.org and wpmet.com.
Details
- CWE(s)