WP-Safety

MC4WP: Mailchimp for WordPress Security & Risk Analysis

wordpress.org/plugins/mailchimp-for-wp

The #1 Mailchimp plugin for WordPress. Allows you to add a multitude of newsletter sign-up methods to your site.

1.0M active installs v4.12.0 PHP 7.4+ WP 4.6+ Updated Mar 9, 2026
emailformmailchimpnewslettersubscribe
92
A · Safe
CVEs total11
Unpatched0
Last CVEMar 10, 2026
Plugin page Download
Safety Verdict

Is MC4WP: Mailchimp for WordPress Safe to Use in 2026?

Generally Safe

Score 92/100

MC4WP: Mailchimp for WordPress has a strong security track record. Known vulnerabilities have been patched promptly.

11 known CVEsLast CVE: Mar 10, 2026Updated 25d ago
Risk Assessment

The Mailchimp for WordPress plugin (v4.12.0) exhibits a mixed security posture. While there are no currently unpatched CVEs and the plugin doesn't bundle external libraries, significant concerns arise from its static analysis. A notable attack surface exists with 2 unprotected entry points: 1 AJAX handler and 1 REST API route lacking permission callbacks. This directly exposes functionalities to unauthorized access and potential manipulation. Furthermore, only 41% of output is properly escaped, suggesting a heightened risk of Cross-Site Scripting (XSS) vulnerabilities. The presence of 4 total SQL queries with only 25% using prepared statements indicates a risk of SQL injection. Taint analysis shows 4 flows with unsanitized paths, which, although not flagged as critical or high, combined with other weaknesses, warrants caution.

The plugin's historical vulnerability data reveals a pattern of past issues, including missing authorization, XSS, CSRF, and open redirects. The sheer volume of 11 known CVEs, even if all are patched, suggests a history of security weaknesses in the codebase. The fact that the last vulnerability was in 2026 (presumably a typo and should be a past year) is concerning if it implies recent discovery of unpatched issues or a lack of ongoing security vigilance. In conclusion, while the absence of unpatched vulnerabilities is a positive sign, the unprotected entry points, insufficient output escaping, and the plugin's vulnerability history present substantial risks that require careful consideration and mitigation.

Key Concerns

  • Unprotected AJAX handler
  • Unprotected REST API route
  • Low percentage of properly escaped output
  • Low percentage of SQL prepared statements
  • Unsanitized flows in taint analysis
  • High number of past CVEs (11)
Vulnerabilities
11

MC4WP: Mailchimp for WordPress Security Vulnerabilities

CVEs by Year

1 CVE in 2016
2016
1 CVE in 2017
2017
1 CVE in 2019
2019
2 CVEs in 2021
2021
2 CVEs in 2022
2022
1 CVE in 2023
2023
2 CVEs in 2024
2024
1 CVE in 2026
2026
Patched Has unpatched

Severity Breakdown

High
1
Medium
10

11 total CVEs

CVE-2026-1781medium · 6.5Missing Authorization

MC4WP: Mailchimp for WordPress <= 4.11.1 - Missing Authorization to Unauthenticated Arbitrary Subscription Deletion

Mar 10, 2026 Patched in 4.12.0 (1d)
CVE-2024-8680medium · 4.4Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

MailChimp for Wordpress <= 4.9.16 - Authenticated (Administrator+) Stored Cross-Site Scripting

Sep 20, 2024 Patched in 4.9.17 (1d)
CVE-2024-8850medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MC4WP: Mailchimp for WordPress 4.9.9 - 4.9.16 - Reflected Cross-Site Scripting

Sep 18, 2024 Patched in 4.9.17 (8d)
CVE-2023-51682medium · 5.3Missing Authorization

MC4WP <= 4.9.9 - Missing Authorization via listen

Dec 27, 2023 Patched in 4.9.10 (27d)
CVE-2021-36833medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MC4WP: Mailchimp for WordPress <= 4.8.6 - Authenticated (Admin+) Stored Cross-Site Scripting

Mar 2, 2022 Patched in 4.8.7 (692d)
WF-bd57edf5-a75e-4677-a51e-9dd262eeba4a-mailchimp-for-wpmedium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MC4WP: Mailchimp for WordPress < 4.8.7 - Cross-Site Scripting

Mar 2, 2022 Patched in 4.8.7 (692d)
WF-370a6130-425c-4264-baaf-8989d3b00d14-mailchimp-for-wphigh · 8.8Cross-Site Request Forgery (CSRF)

MC4WP: Mailchimp for WordPress <= 4.8.4 - Cross-Site Request Forgery

Jun 1, 2021 Patched in 4.8.5 (966d)
WF-dd7db465-ebeb-477b-b6c8-a9b89ba2372b-mailchimp-for-wpmedium · 6.1URL Redirection to Untrusted Site ('Open Redirect')

MC4WP: Mailchimp for WordPress <= 4.8.4 - Open Redirect

Jun 1, 2021 Patched in 4.8.5 (966d)
WF-86cb08ae-aa21-4ee6-baed-03429e4d38e2-mailchimp-for-wpmedium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MC4WP: Mailchimp for WordPress <= 4.1.6 - Reflected Cross-Site Scripting

Nov 9, 2019 Patched in 4.1.7 (1536d)
CVE-2017-18577medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Mailchimp For WP <= 4.1.7 - Cross-Site Scripting

Sep 8, 2017 Patched in 4.1.8 (2328d)
CVE-2016-10871medium · 6.1Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MailChimp for WordPress <= 4.0.10 - Authenticated Cross-Site Scripting

Dec 13, 2016 Patched in 4.0.11 (2597d)
Code Analysis
Analyzed Mar 16, 2026

MC4WP: Mailchimp for WordPress Code Analysis

Dangerous Functions
0
Raw SQL Queries
3
1 prepared
Unescaped Output
289
205 escaped
Nonce Checks
2
Capability Checks
7
File Operations
19
External Requests
2
Bundled Libraries
0

SQL Query Safety

25% prepared4 total queries

Output Escaping

41% escaped494 total outputs
Data Flows
4 unsanitized

Data Flow Analysis

4 flows4 with unsanitized paths
show_integrations_page (includes\integrations\class-admin.php:161)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
2 unprotected

MC4WP: Mailchimp for WordPress Attack Surface

Entry Points2
Unprotected2

AJAX Handlers 1

authwp_ajax_mc4wp_get_list_detailsincludes\admin\class-admin-ajax.php:27

REST API Routes 1

POST/wp-json/mc4wp/v1/formincludes\forms\class-form-manager.php:129
WordPress Hooks 136
actionadmin_noticesincludes\admin\class-admin-messages.php:26
filteradmin_footer_textincludes\admin\class-admin-texts.php:31
filterplugin_row_metaincludes\admin\class-admin-texts.php:36
actionadmin_menuincludes\admin\class-admin.php:58
actionadmin_initincludes\admin\class-admin.php:59
actioncurrent_screenincludes\admin\class-admin.php:61
actionwp_dashboard_setupincludes\admin\class-admin.php:62
actionmc4wp_admin_empty_lists_cacheincludes\admin\class-admin.php:63
actionmc4wp_admin_empty_debug_logincludes\admin\class-admin.php:64
actionadmin_noticesincludes\admin\class-admin.php:66
actionmc4wp_admin_dismiss_api_key_noticeincludes\admin\class-admin.php:67
actionadmin_enqueue_scriptsincludes\admin\class-admin.php:68
filtermc4wp_admin_plugin_meta_linksincludes\admin\class-ads.php:22
actionmc4wp_admin_form_after_behaviour_settings_rowsincludes\admin\class-ads.php:23
actionmc4wp_admin_form_after_appearance_settings_rowsincludes\admin\class-ads.php:24
actionmc4wp_admin_sidebarincludes\admin\class-ads.php:25
actionmc4wp_admin_footerincludes\admin\class-ads.php:26
actionmc4wp_admin_other_settingsincludes\admin\class-ads.php:27
filtermc4wp_admin_menu_itemsincludes\admin\class-ads.php:29
actionmc4wp_admin_after_woocommerce_integration_settingsincludes\admin\class-ads.php:31
actionadmin_noticesincludes\admin\class-review-notice.php:35
actionmc4wp_admin_dismiss_review_noticeincludes\admin\class-review-notice.php:36
filtermc4wp_http_request_argsincludes\class-mailchimp.php:409
actionmc4wp_refresh_mailchimp_listsincludes\default-actions.php:5
filtermc4wp_form_dataincludes\default-filters.php:5
filtermc4wp_integration_dataincludes\default-filters.php:6
filtermctb_dataincludes\default-filters.php:8
filtermc4wp_form_dataincludes\default-filters.php:9
filtermc4wp_integration_dataincludes\default-filters.php:10
filtermailchimp_sync_user_dataincludes\default-filters.php:11
filtermc4wp_use_sslverifyincludes\default-filters.php:12
filterwp_privacy_personal_data_exportersincludes\default-filters.php:13
actionmc4wp_save_formincludes\forms\class-admin.php:26
actionmc4wp_admin_edit_formincludes\forms\class-admin.php:27
actionmc4wp_admin_add_formincludes\forms\class-admin.php:28
filtermc4wp_admin_menu_itemsincludes\forms\class-admin.php:29
actionmc4wp_admin_show_forms_page-edit-formincludes\forms\class-admin.php:30
actionmc4wp_admin_show_forms_page-add-formincludes\forms\class-admin.php:31
actionmc4wp_admin_enqueue_assetsincludes\forms\class-admin.php:32
actionenqueue_block_editor_assetsincludes\forms\class-admin.php:34
actioninitincludes\forms\class-asset-manager.php:26
actionwp_enqueue_scriptsincludes\forms\class-asset-manager.php:27
actionwp_footerincludes\forms\class-asset-manager.php:28
actionmc4wp_output_formincludes\forms\class-asset-manager.php:29
filterscript_loader_tagincludes\forms\class-asset-manager.php:30
filtermc4wp_form_contentincludes\forms\class-form-amp.php:13
filtermc4wp_form_element_attributesincludes\forms\class-form-amp.php:14
filtermc4wp_load_form_scriptsincludes\forms\class-form-amp.php:15
actioninitincludes\forms\class-form-listener.php:18
actioninitincludes\forms\class-form-manager.php:62
actionwidgets_initincludes\forms\class-form-manager.php:63
actionrest_api_initincludes\forms\class-form-manager.php:64
actionparse_requestincludes\forms\class-form-previewer.php:7
filterpre_handle_404includes\forms\class-form-previewer.php:21
actiontemplate_redirectincludes\forms\class-form-previewer.php:23
filtermc4wp_form_response_htmlincludes\forms\class-form-tags.php:23
filtermc4wp_form_contentincludes\forms\class-form-tags.php:24
filtermc4wp_form_redirect_urlincludes\forms\class-form-tags.php:25
filtermc4wp_form_contentincludes\forms\class-output-manager.php:26
actioninitincludes\forms\class-output-manager.php:27
actionadmin_initincludes\integrations\class-admin.php:36
actionmc4wp_admin_enqueue_assetsincludes\integrations\class-admin.php:37
filtermc4wp_admin_menu_itemsincludes\integrations\class-admin.php:38
actionafter_setup_themeincludes\integrations\class-integration-manager.php:33
filtermc4wp_integration_checkbox_labelincludes\integrations\class-integration-tags.php:21
actionwp_headincludes\integrations\class-integration.php:124
actionmc4wp_admin_footerincludes\views\parts\admin-footer.php:28
actionmc4wp_admin_footerincludes\views\parts\admin-footer.php:29
actionmc4wp_admin_footerincludes\views\parts\admin-footer.php:30
actionmc4wp_admin_sidebarincludes\views\parts\admin-sidebar.php:49
actionmc4wp_admin_sidebarincludes\views\parts\admin-sidebar.php:50
actionaffwp_register_fields_before_tosintegrations\affiliatewp\class-affiliatewp.php:33
actionaffwp_register_userintegrations\affiliatewp\class-affiliatewp.php:36
actionmc4wp_admin_before_integration_settingsintegrations\bootstrap.php:33
actionmc4wp_admin_after_integration_settingsintegrations\bootstrap.php:34
actionbp_before_registration_submit_buttonsintegrations\buddypress\class-buddypress.php:29
filterbp_signup_usermetaintegrations\buddypress\class-buddypress.php:43
actionbp_core_activated_userintegrations\buddypress\class-buddypress.php:44
actionbp_core_signup_userintegrations\buddypress\class-buddypress.php:46
actionmc4wp_integration_buddypress_subscribe_userintegrations\buddypress\class-buddypress.php:67
actionwpcf7_initintegrations\contact-form-7\class-contact-form-7.php:28
actionwpcf7_mail_sentintegrations\contact-form-7\class-contact-form-7.php:29
actionwpcf7_posted_dataintegrations\contact-form-7\class-contact-form-7.php:30
actioninitintegrations\custom\class-custom.php:31
actionedd_purchase_form_user_info_fieldsintegrations\easy-digital-downloads\class-easy-digital-downloads.php:29
actionedd_payment_metaintegrations\easy-digital-downloads\class-easy-digital-downloads.php:30
actionedd_complete_purchaseintegrations\easy-digital-downloads\class-easy-digital-downloads.php:33
actionem_booking_form_footerintegrations\events-manager\class-events-manager.php:29
actionem_bookings_addedintegrations\events-manager\class-events-manager.php:32
actiongive_purchase_form_register_login_fieldsintegrations\give\class-give.php:17
actiongive_checkout_before_gatewayintegrations\give\class-give.php:20
actionplugins_loadedintegrations\gravity-forms\bootstrap.php:7
actiongform_field_standard_settingsintegrations\gravity-forms\class-gravity-forms.php:28
actiongform_editor_jsintegrations\gravity-forms\class-gravity-forms.php:29
actiongform_after_submissionintegrations\gravity-forms\class-gravity-forms.php:30
actionmepr_checkout_before_submitintegrations\memberpress\class-memberpress.php:30
actionmepr-checkout-before-submitintegrations\memberpress\class-memberpress.php:32
actionmepr_signupintegrations\memberpress\class-memberpress.php:36
actionmepr-signupintegrations\memberpress\class-memberpress.php:38
filterninja_forms_register_fieldsintegrations\ninja-forms\bootstrap.php:5
filterninja_forms_register_actionsintegrations\ninja-forms\bootstrap.php:12
actioninitintegrations\ninja-forms\class-action.php:59
actioninitintegrations\ninja-forms\class-action.php:60
filterninja_forms_custom_columnsintegrations\ninja-forms\class-field.php:32
actioninitintegrations\ninja-forms\class-field.php:33
actionmc4wp_integration_ninja_forms_subscribeintegrations\ninja-forms\class-ninja-forms.php:28
actionpeepso_register_extended_fieldsintegrations\peepso\class-peepso.php:28
actionpeepso_register_new_userintegrations\peepso\class-peepso.php:31
filtermc4wp_form_messagesintegrations\prosopo-procaptcha\class-procaptcha.php:379
actionmc4wp_form_contentintegrations\prosopo-procaptcha\class-procaptcha.php:380
filtermc4wp_form_errorsintegrations\prosopo-procaptcha\class-procaptcha.php:381
filterscript_loader_tagintegrations\prosopo-procaptcha\class-procaptcha.php:383
filterscf_filter_contact_formintegrations\simple-basic-contact-form\class-simple-basic-contact-form.php:30
actionscf_send_emailintegrations\simple-basic-contact-form\class-simple-basic-contact-form.php:31
filterwoocommerce_form_field_emailintegrations\woocommerce\class-woocommerce.php:56
actionwoocommerce_checkout_update_order_metaintegrations\woocommerce\class-woocommerce.php:59
filterkco_create_orderintegrations\woocommerce\class-woocommerce.php:62
filterklarna_after_kco_confirmationintegrations\woocommerce\class-woocommerce.php:63
actionwoocommerce_initintegrations\woocommerce\class-woocommerce.php:66
actionwoocommerce_checkout_order_processedintegrations\woocommerce\class-woocommerce.php:69
actionwoocommerce_store_api_checkout_order_processedintegrations\woocommerce\class-woocommerce.php:70
filterwoocommerce_get_default_value_for_mc4wp/optinintegrations\woocommerce\class-woocommerce.php:72
filtercomment_form_submit_fieldintegrations\wp-comment-form\class-comment-form.php:34
actionthesis_hook_after_comment_boxintegrations\wp-comment-form\class-comment-form.php:36
actioncomment_formintegrations\wp-comment-form\class-comment-form.php:37
actioncomment_postintegrations\wp-comment-form\class-comment-form.php:41
actionlogin_headintegrations\wp-registration-form\class-registration-form.php:33
actionum_after_register_fieldsintegrations\wp-registration-form\class-registration-form.php:34
actionregister_formintegrations\wp-registration-form\class-registration-form.php:35
actionwoocommerce_register_formintegrations\wp-registration-form\class-registration-form.php:36
actionum_user_registerintegrations\wp-registration-form\class-registration-form.php:39
actionuser_registerintegrations\wp-registration-form\class-registration-form.php:40
actionplugins_loadedintegrations\wpforms\bootstrap.php:5
actioninitintegrations\wpforms\class-field.php:24
actionwpforms_processintegrations\wpforms\class-wpforms.php:28
actionplugins_loadedmailchimp-for-wp.php:38

Scheduled Events 3

mc4wp_refresh_mailchimp_lists
mc4wp_refresh_mailchimp_lists
mc4wp_refresh_mailchimp_lists
Maintenance & Trust

MC4WP: Mailchimp for WordPress Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 9, 2026
PHP min version7.4
Downloads72.6M

Community Trust

Rating96/100
Number of ratings1,492
Active installs1.0M
Alternatives

MC4WP: Mailchimp for WordPress Alternatives

Creative Mail – Easier WordPress & WooCommerce Email Marketing

Creative Mail – Easier WordPress & WooCommerce Email Marketing

creative-mail-by-constant-contact

A
90

Creative Mail was designed specifically for WordPress and WooCommerce. Our intelligent (and super fun) email editor simplifies email marketing campaig &hellip;

300K 3 CVEs
Constant Contact Forms by MailMunch

Constant Contact Forms by MailMunch

constant-contact-forms-by-mailmunch

A
98

The #1 Constant Contact plugin to get more email subscribers. Easily add Constant Contact sign-up forms as popup, embedded widget or sticky top bar.

3K 3 CVEs
Gutena Newsletter – Subscriber Block & Connect Mailchimp

Gutena Newsletter – Subscriber Block & Connect Mailchimp

newsletter-block-by-gutena

A
100

Are you looking for a simple and effective way to grow your email subscriber list using Mailchimp? Then the Gutena Newsletter is exactly what you need &hellip;

1K No CVEs
Mailchimp Widget by ProteusThemes

Mailchimp Widget by ProteusThemes

proteusthemes-mailchimp-widget

A
85

Capture your visitor's email address and subscribe them to your newsletter campaign with this simple Mailchimp widget plugin!

1K No CVEs
Ultimate Popup Free

Ultimate Popup Free

ultimate-popup-free

A
85

Ultimate PopUp Free is an AWESOME PopUp plugin for your wordpress website.

100 No CVEs
Developer Profile

MC4WP: Mailchimp for WordPress Developer Profile

Danny van Kooten

9 plugins · 1.1M total installs

77
trust score
Avg Security Score
97/100
Avg Patch Time
655 days
View full developer profile
Detection Fingerprints

How We Detect MC4WP: Mailchimp for WordPress

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mailchimp-for-wp/assets/css/admin.css/wp-content/plugins/mailchimp-for-wp/assets/css/global.css/wp-content/plugins/mailchimp-for-wp/assets/css/forms.css/wp-content/plugins/mailchimp-for-wp/assets/css/settings.css/wp-content/plugins/mailchimp-for-wp/assets/js/admin.js/wp-content/plugins/mailchimp-for-wp/assets/js/global.js/wp-content/plugins/mailchimp-for-wp/assets/js/forms.js/wp-content/plugins/mailchimp-for-wp/assets/js/settings.js+3 more
Script Paths
/wp-content/plugins/mailchimp-for-wp/assets/js/admin.js/wp-content/plugins/mailchimp-for-wp/assets/js/global.js/wp-content/plugins/mailchimp-for-wp/assets/js/forms.js/wp-content/plugins/mailchimp-for-wp/assets/js/settings.js/wp-content/plugins/mailchimp-for-wp/assets/js/vendors/jquery.validate.min.js/wp-content/plugins/mailchimp-for-wp/assets/js/vendors/Chart.min.js+1 more
Version Parameters
mailchimp-for-wp/assets/css/admin.css?ver=mailchimp-for-wp/assets/css/global.css?ver=mailchimp-for-wp/assets/css/forms.css?ver=mailchimp-for-wp/assets/css/settings.css?ver=mailchimp-for-wp/assets/js/admin.js?ver=mailchimp-for-wp/assets/js/global.js?ver=mailchimp-for-wp/assets/js/forms.js?ver=mailchimp-for-wp/assets/js/settings.js?ver=mailchimp-for-wp/assets/js/vendors/jquery.validate.min.js?ver=mailchimp-for-wp/assets/js/vendors/Chart.min.js?ver=mailchimp-for-wp/assets/js/dashboard.js?ver=

HTML / DOM Fingerprints

CSS Classes
mc4wp-settingsmc4wp-form-previewmc4wp-form-editormc4wp-integration-listmc4wp-dashboard-widget
HTML Comments
<!-- Mailchimp for WordPress form --><!-- MC4WP: Preview --><!-- MC4WP: Form Editor -->
Data Attributes
data-mc4wp-form-iddata-mc4wp-ajax-url
JS Globals
mc4wp_localize
REST Endpoints
/wp-json/mc4wp/v1/forms/wp-json/mc4wp/v1/settings
Shortcode Output
[mc4wp_form]
FAQ

Frequently Asked Questions about MC4WP: Mailchimp for WordPress