CVE-2026-25420 MEDIUM

CVE-2026-25420: WordPress MailerLite plugin <= 1.7.18 - Broken Access Control vulnerability

Vendor Mailerlite
Product MailerLite
Weakness CWE-862 · Missing authorization
Published February 19, 2026
Last update April 28, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Missing Authorization vulnerability in MailerLite MailerLite official-mailerlite-sign-up-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MailerLite: from n/a through <= 1.7.18.

Explanation of Vulnerability in Simple Terms

02Summary

MailerLite versions up to 1.7.18 lack proper authorization checks, allowing authenticated users to degrade service availability. An attacker with low-privilege access can trigger a denial-of-service condition affecting the application's availability. The vulnerability requires valid credentials but no special user interaction.

What an attacker can do

03Attacker Capabilities

Degrade or disrupt MailerLite service availability by exploiting missing authorization controls.

Potential impact on your site

04Site Impact

Legitimate users may experience service disruptions or unavailability if an attacker exploits this flaw.

Conditions required to exploit

05Prerequisites

Attacker must have a valid MailerLite account with low-level privileges; no user interaction required.

Key dates

06Disclosure timeline

February 19, 2026 CVE published
April 28, 2026 Record updated