CVE-2026-23693 CRITICAL

CVE-2026-23693: ElementsKit Elementor Addons < 3.7.9 Unauthenticated Mailchimp REST Endpoint

Vendor Roxnor
Product ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor
Weakness CWE-306 · Missing auth
Published February 23, 2026
Last update February 25, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H

What the vulnerability does

01Description

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor (elementskit-lite) WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API credentials and insufficiently validates certain parameters, including the list parameter, when constructing upstream Mailchimp API requests. An unauthenticated attacker can abuse the endpoint as an open proxy to Mailchimp, potentially triggering unauthorized API calls, manipulating subscription data, exhausting API quotas, or causing resource consumption on the affected WordPress site.

Explanation of Vulnerability in Simple Terms

02Summary

ElementsKit Elementor Addons versions before 3.7.9 contain a missing authentication vulnerability that allows unauthenticated attackers to modify site data and integrity over the network. The vulnerability requires no user interaction and can be exploited remotely. Site administrators should update immediately to version 3.7.9 or later.

What an attacker can do

03Attacker Capabilities

Modify site data and integrity without authentication or user interaction.

Potential impact on your site

04Site Impact

Attackers can alter site content, settings, or data without logging in.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

February 23, 2026 CVE published
February 25, 2026 Record updated