Mailchimp List Subscribe Form <= 2.0.0 - Cross-Site Request Forgery to Mailchimp List Change
Description
The Mailchimp List Subscribe Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.0. This is due to missing or incorrect nonce validation on the mailchimp_sf_change_list_if_necessary() function. This makes it possible for unauthenticated attackers to change Mailchimp lists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:NTechnical Details
<=2.0.0Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2025-12172 ## 1. Vulnerability Summary The **Mailchimp List Subscribe Form** plugin (<= 2.0.0) is vulnerable to **Cross-Site Request Forgery (CSRF)**. The vulnerability exists in the function `mailchimp_sf_change_list_if_necessary()` (inferred), which handles the u…
Show full research plan
Exploitation Research Plan: CVE-2025-12172
1. Vulnerability Summary
The Mailchimp List Subscribe Form plugin (<= 2.0.0) is vulnerable to Cross-Site Request Forgery (CSRF). The vulnerability exists in the function mailchimp_sf_change_list_if_necessary() (inferred), which handles the update of the Mailchimp list ID associated with the subscription form. Because the function fails to perform nonce validation (via check_admin_referer or wp_verify_nonce), an attacker can trick an authenticated administrator into making a request that changes the site's active Mailchimp list to one controlled by the attacker. This redirects all new subscriber data to the attacker's list.
2. Attack Vector Analysis
- Endpoint:
/wp-admin/admin.php?page=mailchimp-sf(inferred slug) or any administrative page if the function is hooked toadmin_init. - Vulnerable Function:
mailchimp_sf_change_list_if_necessary()(inferred). - Action/Hook: Likely
admin_initoradmin_menu. - Payload Parameter: Likely
mailchimp_listormc_list_id(inferred). - Authentication Level: CSRF (requires a logged-in Administrator to trigger the request).
- Preconditions: The plugin must be installed and the administrator must be logged in.
3. Code Flow (Inferred)
- Entry Point: The plugin registers a callback for
admin_initor a specific admin page load. - Processing: During the request lifecycle,
mailchimp_sf_change_list_if_necessary()is executed. - Vulnerable Logic:
function mailchimp_sf_change_list_if_necessary() { if ( isset( $_POST['mailchimp_list'] ) ) { // Inferred parameter // VULNERABILITY: Missing check_admin_referer() or wp_verify_nonce() $new_list_id = sanitize_text_field( $_POST['mailchimp_list'] ); update_option( 'mailchimp_list_id', $new_list_id ); // Inferred option } } - Sink: The
update_option()function persists the attacker-supplied list ID to the database.
4. Nonce Acquisition Strategy
According to the vulnerability description, the function lacks nonce validation entirely. Therefore, no nonce is required to exploit this vulnerability. The attacker only needs to forge a request that the administrator's browser will execute.
5. Exploitation Strategy
The goal is to change the configured Mailchimp list ID.
Step-by-Step Plan:
- Identify the target parameter: Determine the exact POST parameter name used by the plugin to update the list ID. We will do this by navigating to the plugin settings page as an admin and inspecting the form.
- Construct the CSRF Payload: Create an automated POST request targeting the Mailchimp settings page.
- Execute the Exploit: Use the
http_requesttool (simulating the administrator's session) to send the forged POST request.
Forged Request (Example):
- Method:
POST - URL:
http://localhost:8080/wp-admin/admin.php?page=mailchimp-sf(inferred) - Headers:
Content-Type: application/x-www-form-urlencoded - Body:
mailchimp_list=ATTACKER_LIST_ID_666&submit=Save Changes(inferred)
6. Test Data Setup
- Install Plugin: Install "Mailchimp List Subscribe Form" version 2.0.0.
- Configuration:
- Set up a dummy Mailchimp API key (if required to reach the list selection screen).
- Establish a "Valid" list ID (e.g.,
original_list_123).
- Admin Access: Ensure the execution agent has the administrator's cookies/session.
7. Expected Results
- The server should return a
302 Redirector a200 OKindicating the settings were processed. - The request should succeed without providing a
_wpnonceor_wp_http_refererparameter. - The internal WordPress option storing the Mailchimp list ID should be updated to the attacker's value.
8. Verification Steps
After sending the http_request, verify the change using WP-CLI:
# Check the value of the option (replace 'mailchimp_list_id' with the actual option name discovered)
wp option get mailchimp_list_id
Expected Output: ATTACKER_LIST_ID_666
9. Alternative Approaches
If the plugin uses a different method for saving settings (e.g., options.php or AJAX):
- AJAX Scenario: If the function is hooked to
wp_ajax_mailchimp_change_list, the request would target/wp-admin/admin-ajax.phpwith the parameteraction=mailchimp_change_list. - Settings API Scenario: If it's a standard settings page, the CSRF would target
/wp-admin/options.php, though WordPress Core usually protects this with_wpnonce. The vulnerability description specifically points tomailchimp_sf_change_list_if_necessary(), suggesting a custom, unprotected handler.
Discovery Phase (To refine parameters):
Before launching the exploit, the agent should run:
# Find where the vulnerable function is defined and what it does
grep -rn "function mailchimp_sf_change_list_if_necessary" /var/www/html/wp-content/plugins/mailchimp/
# Find where it is hooked
grep -rn "mailchimp_sf_change_list_if_necessary" /var/www/html/wp-content/plugins/mailchimp/
Use the output to confirm the exact $_POST parameter and update_option key.
Summary
The Mailchimp List Subscribe Form plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) due to a lack of nonce validation in the mailchimp_sf_change_list_if_necessary() function. This allows unauthenticated attackers to trick a logged-in administrator into changing the active Mailchimp list ID, effectively hijacking subscriber data and redirecting it to an attacker-controlled list.
Vulnerable Code
// Inferred from vulnerability description and research plan // File: mailchimp.php function mailchimp_sf_change_list_if_necessary() { if ( isset( $_POST['mailchimp_list'] ) ) { // VULNERABILITY: Missing check_admin_referer() or wp_verify_nonce() verification $new_list_id = sanitize_text_field( $_POST['mailchimp_list'] ); update_option( 'mailchimp_list_id', $new_list_id ); } }
Security Fix
@@ -1,6 +1,7 @@ function mailchimp_sf_change_list_if_necessary() { if ( isset( $_POST['mailchimp_list'] ) ) { + check_admin_referer( 'mailchimp_sf_list_change' ); $new_list_id = sanitize_text_field( $_POST['mailchimp_list'] ); update_option( 'mailchimp_list_id', $new_list_id ); } }
Exploit Outline
The exploit targets the plugin's administrative settings page and requires an authenticated administrator to interact with a malicious link or form. 1. Target Endpoint: The administrator-facing settings page, typically located at `/wp-admin/admin.php?page=mailchimp-sf`. 2. Payload: An attacker crafts an HTML page containing an auto-submitting form (or a hidden form triggered via JavaScript) that performs a POST request to the target URL. 3. Parameters: The request must include the parameter responsible for updating the list ID (e.g., `mailchimp_list`) set to an attacker-controlled Mailchimp list ID. 4. Trigger: The attacker uses social engineering to trick a logged-in administrator into visiting the malicious page. 5. Result: Since the plugin fails to verify a nonce, the WordPress backend processes the forged request, updates the list ID in the database, and redirects all future newsletter subscriptions to the attacker's Mailchimp account.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.