What the vulnerability does
01Description
ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor (elementskit-lite) WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API credentials and insufficiently validates certain parameters, including the list parameter, when constructing upstream Mailchimp API requests. An unauthenticated attacker can abuse the endpoint as an open proxy to Mailchimp, potentially triggering unauthorized API calls, manipulating subscription data, exhausting API quotas, or causing resource consumption on the affected WordPress site.
Explanation of Vulnerability in Simple Terms
02Summary
ElementsKit Elementor Addons versions before 3.7.9 contain a missing authentication vulnerability that allows unauthenticated attackers to modify site data and integrity over the network. The vulnerability requires no user interaction and can be exploited remotely. Site administrators should update immediately to version 3.7.9 or later.
What an attacker can do
03Attacker Capabilities
Modify site data and integrity without authentication or user interaction.
Potential impact on your site
04Site Impact
Attackers can alter site content, settings, or data without logging in.
Conditions required to exploit
05Prerequisites
Network access only; no authentication or user interaction required.
Key dates
06Disclosure timeline
February 23, 2026
CVE published
February 25, 2026
Record updated