WP-Safety

Mailchimp List Subscribe Form Security & Risk Analysis

wordpress.org/plugins/mailchimp

Add a Mailchimp signup form block, widget, or shortcode to your WordPress site.

60K active installs v2.0.1 PHP 7.0+ WP 6.4+ Updated Jan 8, 2026
emailmailchimpmarketingnewslettersignup
99
A · Safe
CVEs total1
Unpatched0
Last CVEFeb 18, 2026
Plugin page Download
Safety Verdict

Is Mailchimp List Subscribe Form Safe to Use in 2026?

Generally Safe

Score 99/100

Mailchimp List Subscribe Form has a strong security track record. Known vulnerabilities have been patched promptly.

1 known CVELast CVE: Feb 18, 2026Updated 2mo ago
Risk Assessment

This plugin exhibits a generally strong security posture, with a significant emphasis on secure coding practices. The static analysis reveals a robust implementation of security measures, including a high percentage of properly escaped output, the complete absence of raw SQL queries, and a comprehensive use of nonce and capability checks across its entry points. The lack of dangerous functions and file operations further contributes to its security. However, the presence of three flows with unsanitized paths, although not rated as critical or high severity by the taint analysis, warrants attention as these could potentially lead to unexpected behavior or security vulnerabilities if exploited in specific contexts. The plugin's vulnerability history, while showing only one past medium-severity CVE, has a recent date, suggesting that historical issues have been addressed. The fact that there are no currently unpatched vulnerabilities is a positive indicator. Overall, the plugin demonstrates good security fundamentals, but the identified unsanitized paths represent a minor area of concern that should be monitored and ideally mitigated.

Key Concerns

  • Flows with unsanitized paths found
  • One past medium severity CVE
Vulnerabilities
1

Mailchimp List Subscribe Form Security Vulnerabilities

CVEs by Year

1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

Medium
1

1 total CVE

CVE-2025-12172medium · 4.3Cross-Site Request Forgery (CSRF)

Mailchimp List Subscribe Form <= 2.0.0 - Cross-Site Request Forgery to Mailchimp List Change

Feb 18, 2026 Patched in 2.0.1 (1d)
Code Analysis
Analyzed Mar 16, 2026

Mailchimp List Subscribe Form Code Analysis

Dangerous Functions
0
Raw SQL Queries
0
0 prepared
Unescaped Output
8
425 escaped
Nonce Checks
14
Capability Checks
13
File Operations
0
External Requests
4
Bundled Libraries
0

Output Escaping

98% escaped433 total outputs
Data Flows
3 unsanitized

Data Flow Analysis

5 flows3 with unsanitized paths
mailchimp_sf_change_list_if_necessary (mailchimp.php:530)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Mailchimp List Subscribe Form Attack Surface

Entry Points10
Unprotected0

AJAX Handlers 7

authwp_ajax_mailchimp_sf_get_user_sync_statusincludes\admin\class-mailchimp-user-sync.php:68
authwp_ajax_mailchimp_sf_delete_user_sync_errorincludes\admin\class-mailchimp-user-sync.php:69
authwp_ajax_mailchimp_sf_oauth_startincludes\class-mailchimp-admin.php:41
authwp_ajax_mailchimp_sf_oauth_finishincludes\class-mailchimp-admin.php:42
authwp_ajax_mailchimp_sf_create_accountincludes\class-mailchimp-admin.php:43
authwp_ajax_mailchimp_sf_check_login_sessionincludes\class-mailchimp-admin.php:44
authwp_ajax_mailchimp_sf_preview_formincludes\class-mailchimp-admin.php:45

REST API Routes 1

GET/wp-json/mailchimp/v1/list-data/(?P<list_id>[a-zA-Z0-9]+)/includes\blocks\class-mailchimp-list-subscribe-form-blocks.php:130

Shortcodes 2

[mailchimpsf_form] mailchimp.php:744
[mailchimpsf_widget] mailchimp_compat.php:35
WordPress Hooks 23
actionadmin_initincludes\admin\class-mailchimp-user-sync.php:55
actionadmin_initincludes\admin\class-mailchimp-user-sync.php:56
actionadmin_post_mailchimp_sf_start_user_syncincludes\admin\class-mailchimp-user-sync.php:57
actionadmin_post_mailchimp_sf_cancel_user_syncincludes\admin\class-mailchimp-user-sync.php:58
actionadmin_post_mailchimp_sf_skip_user_sync_ctaincludes\admin\class-mailchimp-user-sync.php:59
actionadmin_noticesincludes\admin\class-mailchimp-user-sync.php:65
actionmailchimp_sf_user_sync_before_formincludes\admin\class-mailchimp-user-sync.php:71
actionuser_registerincludes\admin\class-mailchimp-user-sync.php:76
actionprofile_updateincludes\admin\class-mailchimp-user-sync.php:77
actioninitincludes\blocks\class-mailchimp-list-subscribe-form-blocks.php:29
actionrest_api_initincludes\blocks\class-mailchimp-list-subscribe-form-blocks.php:31
actionadmin_noticesincludes\class-mailchimp-admin.php:40
actionadmin_enqueue_scriptsincludes\class-mailchimp-admin.php:47
actionadmin_menuincludes\class-mailchimp-admin.php:48
filteradmin_footer_textincludes\class-mailchimp-admin.php:49
actioninitincludes\class-mailchimp-form-submission.php:25
actionmailchimp_sf_handle_user_updateincludes\class-mailchimp-user-sync-backgroud-process.php:67
actionadmin_noticesmailchimp.php:41
actionwp_enqueue_scriptsmailchimp.php:131
actioninitmailchimp.php:135
actioninitmailchimp.php:244
actionwidgets_initmailchimp.php:732
actionplugins_loadedmailchimp_upgrade.php:32
Maintenance & Trust

Mailchimp List Subscribe Form Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedJan 8, 2026
PHP min version7.0
Downloads2.5M

Community Trust

Rating52/100
Number of ratings77
Active installs60K
Alternatives

Mailchimp List Subscribe Form Alternatives

Easy Mailchimp Optin Form

Easy Mailchimp Optin Form

easy-mailchimp-opt-in

A
85

The MailChimp plugin allows you to quickly and easily add a signup form for your MailChimp list as a widget on your WordPress 2.8 or higher site.

100 No CVEs
Newsletter – Send awesome emails from WordPress

Newsletter – Send awesome emails from WordPress

newsletter

A
89

An email marketing tool for your blog: subscription forms to create your lists with unlimited subscribers and newsletters.

200K 20 CVEs
Mailjet Email Marketing

Mailjet Email Marketing

mailjet-for-wordpress

A
100

Includes WooCommerce automated and order emails. Design, send and track engaging marketing and transactional emails from your WordPress admin.

10K 1 CVE
Mailster WordPress Newsletter Plugin

Mailster WordPress Newsletter Plugin

mailster

B
79

Send beautiful newsletters from WordPress. Collect subscribers with signup forms, automate your emails for WooCommerce, blog post notifications & &hellip;

9K 5 CVEs
Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce

Sender – Newsletter, SMS and Email Marketing Automation for WooCommerce

sender-net-automated-emails

A
99

Sender is an all-in-one email & SMS marketing platform designed keeping the challenges of ecommerce and small businesses in mind.

5K 2 CVEs
Developer Profile

Mailchimp List Subscribe Form Developer Profile

Mailchimp

2 plugins · 360K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
451 days
View full developer profile
Detection Fingerprints

How We Detect Mailchimp List Subscribe Form

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mailchimp/assets/js/mailchimp.js/wp-content/plugins/mailchimp/assets/css/flick/flick.css/wp-content/plugins/mailchimp/assets/css/frontend.css
Script Paths
/wp-content/plugins/mailchimp/assets/js/mailchimp.js
Version Parameters
mailchimp/assets/js/mailchimp.js?ver=mailchimp/assets/css/flick/flick.css?ver=mailchimp/assets/css/frontend.css?ver=

HTML / DOM Fingerprints

CSS Classes
mc_signup_form
Data Attributes
data-mc-form-id
JS Globals
mailchimpSF
FAQ

Frequently Asked Questions about Mailchimp List Subscribe Form