WP-Safety

MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder Security & Risk Analysis

wordpress.org/plugins/mailchimp-subscribe-sm

MailChimp Subscribe Form allows you to create Beautiful Professional looking Subscribe Forms, Popups, bars & full page optins easily in less than …

3K active installs v4.3.3 PHP 5.0+ WP 3.2+ Updated Nov 14, 2025
contact-formemailmarketingsubscribe-formsubscribe-forms
96
A · Safe
CVEs total5
Unpatched0
Last CVEJan 15, 2025
Plugin page Download
Safety Verdict

Is MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder Safe to Use in 2026?

Generally Safe

Score 96/100

MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder has a strong security track record. Known vulnerabilities have been patched promptly.

5 known CVEsLast CVE: Jan 15, 2025Updated 4mo ago
Risk Assessment

The mailchimp-subscribe-sm plugin, version 4.3.3, exhibits a mixed security posture. While it demonstrates good practices in SQL query handling with 100% prepared statements and a high number of nonce and capability checks, significant concerns arise from its attack surface and output escaping. The presence of one AJAX handler without authentication checks is a critical vulnerability that could allow unauthorized actions. Furthermore, a substantial portion of its output (72%) is not properly escaped, indicating a high risk of Cross-Site Scripting (XSS) vulnerabilities, especially when considering the historical prevalence of XSS, Open Redirect, and Code Injection in past CVEs.

The vulnerability history, with 5 known CVEs including one high-severity issue, points to a pattern of past security weaknesses. Although no CVEs are currently unpatched, the types of historical vulnerabilities (XSS, Open Redirect, Code Injection) align with the potential risks identified in the static analysis, particularly the lack of output escaping. The taint analysis did not reveal critical or high severity flows with unsanitized paths, which is a positive sign. However, the plugin also utilizes the dangerous `unserialize` function, which can be a vector for code injection if not handled with extreme caution and proper input validation, especially in conjunction with unsanitized data.

In conclusion, while the plugin has strengths in its database query practices and some security checks, the critical unprotected AJAX handler and the widespread lack of output escaping represent serious security risks. The historical vulnerability pattern reinforces these concerns. The presence of the `unserialize` function also warrants careful consideration. Users should proceed with caution and prioritize patching and mitigating these identified weaknesses.

Key Concerns

  • AJAX handler without auth check
  • Low output escaping (28% proper)
  • Use of unserialize function
  • High number of external HTTP requests
  • History of XSS, Open Redirect, Code Injection CVEs
Vulnerabilities
5

MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder Security Vulnerabilities

CVEs by Year

1 CVE in 2015
2015
2 CVEs in 2023
2023
1 CVE in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

High
1
Medium
4

5 total CVEs

CVE-2025-22727medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MailChimp Subscribe Forms <= 4.1 - Authenticated (Contributor+) Stored Cross-Site Scripting

Jan 15, 2025 Patched in 4.2 (8d)
CVE-2024-43211medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MailChimp Subscribe Forms <= 4.0.9.7 - Authenticated (Editor+) Stored Cross-Site Scripting

Aug 9, 2024 Patched in 4.0.9.8 (179d)
CVE-2023-33328medium · 4.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

MailChimp Subscribe Forms <= 4.0.9.1 - Authenticated (Administrator+) Stored Cross-Site Scripting

May 22, 2023 Patched in 4.0.9.2 (246d)
CVE-2023-32517medium · 6.1URL Redirection to Untrusted Site ('Open Redirect')

MailChimp Subscribe Forms <= 4.0.9.3 - Open Redirect

May 10, 2023 Patched in 4.0.9.4 (258d)
WF-680746a3-8a72-4ec2-9f58-d744f40168ed-mailchimp-subscribe-smhigh · 8.8Improper Control of Generation of Code ('Code Injection')

MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder < 1.2 - Remote Code Execution

Apr 21, 2015 Patched in 1.2 (3199d)
Code Analysis
Analyzed Mar 16, 2026

MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder Code Analysis

Dangerous Functions
5
Raw SQL Queries
0
4 prepared
Unescaped Output
715
281 escaped
Nonce Checks
45
Capability Checks
27
File Operations
5
External Requests
40
Bundled Libraries
1

Dangerous Functions Found

unserialize$result = unserialize($response['body']);admin\classes\ajax-requests-class-older-php-version.php:433
unserialize$result = unserialize($response['body']);admin\classes\ajax-requests-class-older-php-version.php:1366
unserialize$result = unserialize($response['body']);admin\classes\ajax-requests-class.php:488
unserialize$result = unserialize($response['body']);admin\classes\ajax-requests-class.php:1524
unserialize$serial = unserialize($response);integrations\MCAPI.class.php:2902

Bundled Libraries

jQuery

SQL Query Safety

100% prepared4 total queries

Output Escaping

28% escaped996 total outputs
Data Flows
6 unsanitized

Data Flow Analysis

20 flows6 with unsanitized paths
smfb_get_new_analytics (admin\classes\ajax-requests-class-older-php-version.php:2473)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface
1 unprotected

MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder Attack Surface

Entry Points62
Unprotected1

AJAX Handlers 56

authwp_ajax_smfb_admin_dataadmin\classes\ajax-requests-class-older-php-version.php:19
authwp_ajax_smfb_settings_dataadmin\classes\ajax-requests-class-older-php-version.php:21
noprivwp_ajax_smfb_subscribeForm_dataadmin\classes\ajax-requests-class-older-php-version.php:23
authwp_ajax_smfb_subscribeForm_dataadmin\classes\ajax-requests-class-older-php-version.php:24
noprivwp_ajax_smfb_formBuilderEmail_ajaxadmin\classes\ajax-requests-class-older-php-version.php:26
authwp_ajax_smfb_formBuilderEmail_ajaxadmin\classes\ajax-requests-class-older-php-version.php:27
noprivwp_ajax_smfb_subscribeForm_mailchimp_dataadmin\classes\ajax-requests-class-older-php-version.php:29
authwp_ajax_smfb_subscribeForm_mailchimp_dataadmin\classes\ajax-requests-class-older-php-version.php:30
noprivwp_ajax_smfb_cta_click_conversion_recordadmin\classes\ajax-requests-class-older-php-version.php:32
authwp_ajax_smfb_cta_click_conversion_recordadmin\classes\ajax-requests-class-older-php-version.php:33
authwp_ajax_smfb_loadShortcode_contentadmin\classes\ajax-requests-class-older-php-version.php:36
authwp_ajax_smfb_get_global_row_contentadmin\classes\ajax-requests-class-older-php-version.php:39
authwp_ajax_smfb_insert_templateadmin\classes\ajax-requests-class-older-php-version.php:42
authwp_ajax_smfb_subscribe_list_emptyadmin\classes\ajax-requests-class-older-php-version.php:45
authwp_ajax_smfb_activate_pb_requestadmin\classes\ajax-requests-class-older-php-version.php:48
authwp_ajax_smfb_empty_form_builder_dataadmin\classes\ajax-requests-class-older-php-version.php:50
authwp_ajax_smfb_delete_form_builder_entryadmin\classes\ajax-requests-class-older-php-version.php:52
authwp_ajax_smfb_delete_optin_analyticsadmin\classes\ajax-requests-class-older-php-version.php:54
authwp_ajax_smfb_get_new_analyticsadmin\classes\ajax-requests-class-older-php-version.php:56
noprivwp_ajax_smfb_popup_closedadmin\classes\ajax-requests-class-older-php-version.php:58
authwp_ajax_smfb_popup_closedadmin\classes\ajax-requests-class-older-php-version.php:59
authwp_ajax_smfb_send_user_feedbackadmin\classes\ajax-requests-class-older-php-version.php:61
authwp_ajax_smfb_aweber_connectadmin\classes\ajax-requests-class-older-php-version.php:63
authwp_ajax_smfb_aweber_connection_checkadmin\classes\ajax-requests-class-older-php-version.php:64
authwp_ajax_smfb_getMCGroupIdsadmin\classes\ajax-requests-class-older-php-version.php:66
authwp_ajax_smfb_getConstantContactListsadmin\classes\ajax-requests-class-older-php-version.php:68
authwp_ajax_smfb_admin_dataadmin\classes\ajax-requests-class.php:19
authwp_ajax_smfb_settings_dataadmin\classes\ajax-requests-class.php:21
noprivwp_ajax_smfb_subscribeForm_dataadmin\classes\ajax-requests-class.php:23
authwp_ajax_smfb_subscribeForm_dataadmin\classes\ajax-requests-class.php:24
noprivwp_ajax_smfb_formBuilderEmail_ajaxadmin\classes\ajax-requests-class.php:26
authwp_ajax_smfb_formBuilderEmail_ajaxadmin\classes\ajax-requests-class.php:27
noprivwp_ajax_smfb_subscribeForm_mailchimp_dataadmin\classes\ajax-requests-class.php:29
authwp_ajax_smfb_subscribeForm_mailchimp_dataadmin\classes\ajax-requests-class.php:30
noprivwp_ajax_smfb_cta_click_conversion_recordadmin\classes\ajax-requests-class.php:32
authwp_ajax_smfb_cta_click_conversion_recordadmin\classes\ajax-requests-class.php:33
authwp_ajax_smfb_loadShortcode_contentadmin\classes\ajax-requests-class.php:36
authwp_ajax_smfb_get_global_row_contentadmin\classes\ajax-requests-class.php:39
authwp_ajax_smfb_insert_templateadmin\classes\ajax-requests-class.php:42
authwp_ajax_smfb_subscribe_list_emptyadmin\classes\ajax-requests-class.php:45
authwp_ajax_smfb_activate_pb_requestadmin\classes\ajax-requests-class.php:48
authwp_ajax_smfb_empty_form_builder_dataadmin\classes\ajax-requests-class.php:50
authwp_ajax_smfb_delete_form_builder_entryadmin\classes\ajax-requests-class.php:52
authwp_ajax_smfb_delete_optin_analyticsadmin\classes\ajax-requests-class.php:54
authwp_ajax_smfb_get_new_analyticsadmin\classes\ajax-requests-class.php:56
noprivwp_ajax_smfb_popup_closedadmin\classes\ajax-requests-class.php:58
authwp_ajax_smfb_popup_closedadmin\classes\ajax-requests-class.php:59
authwp_ajax_smfb_send_user_feedbackadmin\classes\ajax-requests-class.php:61
authwp_ajax_smfb_aweber_connectadmin\classes\ajax-requests-class.php:63
authwp_ajax_smfb_aweber_connection_checkadmin\classes\ajax-requests-class.php:64
authwp_ajax_smfb_getMCGroupIdsadmin\classes\ajax-requests-class.php:66
authwp_ajax_smfb_getCkSequenceIdsadmin\classes\ajax-requests-class.php:68
authwp_ajax_smfb_getConstantContactListsadmin\classes\ajax-requests-class.php:70
authwp_ajax_sm_popb_enable_safe_modeadmin\classes\ajax-requests-class.php:72
authwp_ajax_msfm_send_user_feedbackadmin\classes\feedback.php:23
authwp_ajax_pluginops_sm_delete_formmun\inc\class-pluginops-form-loader.php:18

Shortcodes 6

[pluginops_form] admin\classes\admin.php:44
[pluginops_popup_form] admin\classes\admin.php:46
[pluginops_flyin_form] admin\classes\admin.php:47
[pluginops_bar_form] admin\classes\admin.php:48
[pluginops_full_page_form] admin\classes\admin.php:49
[pb_samlple_nav] admin\classes\admin.php:54
WordPress Hooks 29
actioninitadmin\classes\admin.php:18
actionadmin_enqueue_scriptsadmin\classes\admin.php:20
actionadmin_enqueue_scriptsadmin\classes\admin.php:26
actionedit_form_after_titleadmin\classes\admin.php:30
actionadmin_print_scriptsadmin\classes\admin.php:32
filterhidden_meta_boxesadmin\classes\admin.php:37
filtermanage_pluginops_forms_posts_columnsadmin\classes\admin.php:39
actionmanage_pluginops_forms_posts_custom_columnadmin\classes\admin.php:41
actionmanage_pluginops_forms_posts_custom_columnadmin\classes\admin.php:42
actionadmin_menuadmin\classes\admin.php:52
filterthe_contentadmin\classes\admin.php:60
actionwp_body_openadmin\classes\admin.php:62
actionwp_footeradmin\classes\admin.php:64
actionwp_body_openadmin\classes\admin.php:68
actionwp_footeradmin\classes\admin.php:70
filterwp_mail_content_typeadmin\classes\ajax-requests-class-older-php-version.php:1169
filterwp_mail_content_typeadmin\classes\ajax-requests-class.php:1272
actionadmin_enqueue_scriptsadmin\classes\feedback.php:16
actionadmin_footeradmin\classes\feedback.php:17
actionadmin_noticesadmin\views\ntifs\ask-review.php:15
actionadmin_initadmin\views\ntifs\ask-review.php:22
actionadmin_initadmin\views\ntifs\ask-review.php:60
actionadmin_noticesask-review.php:29
actionadmin_initask-review.php:34
actionadmin_initask-review.php:114
actionwidgets_initBC\ssm_wp_widgets.php:92
actionadmin_menumun\inc\class-pluginops-form-loader.php:9
actioninitmun\inc\class-pluginops-form-loader.php:20
actionadmin_initsubcribe-me.php:41
Maintenance & Trust

MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder Maintenance & Trust

Maintenance Signals

WordPress version tested6.8.5
Last updatedNov 14, 2025
PHP min version5.0
Downloads450K

Community Trust

Rating80/100
Number of ratings65
Active installs3K
Alternatives

MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder Alternatives

Integration Sendy for Elementor

Integration Sendy for Elementor

integration-sendy-elementor

A
92

Easily connect Elementor Pro forms to Sendy and automatically grow your email list with just a few clicks—no third-party tools required.

40 No CVEs
Creative Mail – Easier WordPress & WooCommerce Email Marketing

Creative Mail – Easier WordPress & WooCommerce Email Marketing

creative-mail-by-constant-contact

A
90

Creative Mail was designed specifically for WordPress and WooCommerce. Our intelligent (and super fun) email editor simplifies email marketing campaig &hellip;

300K 3 CVEs
Getsitecontrol — Email Marketing Plugin | Popup Maker, Automations & Newsletters

Getsitecontrol — Email Marketing Plugin | Popup Maker, Automations & Newsletters

getsitecontrol

A
100

Complete email marketing toolset with a powerful popup builder on board. Generate leads with email opt-in forms, send professional newsletters, build &hellip;

1K No CVEs
Omnisend for Contact Form 7 Add-On

Omnisend for Contact Form 7 Add-On

omnisend-for-contact-form-7

A
100

Email Marketing, Newsletter, Email Automation, Forms, Pop Up, SMS by Omnisend

500 No CVEs
Connect Contact Form 7 and AWeber

Connect Contact Form 7 and AWeber

integrate-contact-form-7-and-aweber

A
98

Integrate AWeber mailing lists with Contact Form 7. Automatically add form subscribers to your AWeber lists.

300 2 CVEs
Developer Profile

MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder Developer Profile

PluginOps

11 plugins · 15K total installs

66
trust score
Avg Security Score
82/100
Avg Patch Time
445 days
View full developer profile
Detection Fingerprints

How We Detect MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/mailchimp-subscribe-sm/assets/css/custom-css.css/wp-content/plugins/mailchimp-subscribe-sm/assets/css/main.css/wp-content/plugins/mailchimp-subscribe-sm/assets/js/custom-js.js/wp-content/plugins/mailchimp-subscribe-sm/assets/js/main.js
Script Paths
/wp-content/plugins/mailchimp-subscribe-sm/assets/js/main.js/wp-content/plugins/mailchimp-subscribe-sm/assets/js/custom-js.js
Version Parameters
mailchimp-subscribe-sm/assets/css/main.css?ver=mailchimp-subscribe-sm/assets/js/main.js?ver=

HTML / DOM Fingerprints

CSS Classes
msf-sub-wrapmsf-form-buildermsf-sub-form
Data Attributes
data-msf-form-id
JS Globals
msf_obj
Shortcode Output
[mailchimp_subscribe][mailchimp_subscribe form_id=
FAQ

Frequently Asked Questions about MailChimp Subscribe Form, Optin Builder, PopUp Builder, Form Builder