[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fS3vLsaybnlO7FfPhLe2CFWJXUlgathxNZsMXj7VxoWI":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-12172","mailchimp-list-subscribe-form-cross-site-request-forgery-to-mailchimp-list-change","Mailchimp List Subscribe Form \u003C= 2.0.0 - Cross-Site Request Forgery to Mailchimp List Change","The Mailchimp List Subscribe Form plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.0.0. This is due to missing or incorrect nonce validation on the mailchimp_sf_change_list_if_necessary() function. This makes it possible for unauthenticated attackers to change Mailchimp lists via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.","mailchimp",null,"\u003C=2.0.0","2.0.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-02-18 14:55:46","2026-02-19 03:25:12",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F3e270633-0031-41c1-98ac-ce96cd599a60?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2025-12172\n\n## 1. Vulnerability Summary\nThe **Mailchimp List Subscribe Form** plugin (\u003C= 2.0.0) is vulnerable to **Cross-Site Request Forgery (CSRF)**. The vulnerability exists in the function `mailchimp_sf_change_list_if_necessary()` (inferred), which handles the update of the Mailchimp list ID associated with the subscription form. Because the function fails to perform nonce validation (via `check_admin_referer` or `wp_verify_nonce`), an attacker can trick an authenticated administrator into making a request that changes the site's active Mailchimp list to one controlled by the attacker. This redirects all new subscriber data to the attacker's list.\n\n## 2. Attack Vector Analysis\n* **Endpoint:** `\u002Fwp-admin\u002Fadmin.php?page=mailchimp-sf` (inferred slug) or any administrative page if the function is hooked to `admin_init`.\n* **Vulnerable Function:** `mailchimp_sf_change_list_if_necessary()` (inferred).\n* **Action\u002FHook:** Likely `admin_init` or `admin_menu`.\n* **Payload Parameter:** Likely `mailchimp_list` or `mc_list_id` (inferred).\n* **Authentication Level:** CSRF (requires a logged-in Administrator to trigger the request).\n* **Preconditions:** The plugin must be installed and the administrator must be logged in.\n\n## 3. Code Flow (Inferred)\n1. **Entry Point:** The plugin registers a callback for `admin_init` or a specific admin page load.\n2. **Processing:** During the request lifecycle, `mailchimp_sf_change_list_if_necessary()` is executed.\n3. **Vulnerable Logic:**\n ```php\n function mailchimp_sf_change_list_if_necessary() {\n if ( isset( $_POST['mailchimp_list'] ) ) { \u002F\u002F Inferred parameter\n \u002F\u002F VULNERABILITY: Missing check_admin_referer() or wp_verify_nonce()\n $new_list_id = sanitize_text_field( $_POST['mailchimp_list'] );\n update_option( 'mailchimp_list_id', $new_list_id ); \u002F\u002F Inferred option\n }\n }\n ```\n4. **Sink:** The `update_option()` function persists the attacker-supplied list ID to the database.\n\n## 4. Nonce Acquisition Strategy\nAccording to the vulnerability description, the function **lacks** nonce validation entirely. Therefore, no nonce is required to exploit this vulnerability. The attacker only needs to forge a request that the administrator's browser will execute.\n\n## 5. Exploitation Strategy\nThe goal is to change the configured Mailchimp list ID.\n\n### Step-by-Step Plan:\n1. **Identify the target parameter:** Determine the exact POST parameter name used by the plugin to update the list ID. We will do this by navigating to the plugin settings page as an admin and inspecting the form.\n2. **Construct the CSRF Payload:** Create an automated POST request targeting the Mailchimp settings page.\n3. **Execute the Exploit:** Use the `http_request` tool (simulating the administrator's session) to send the forged POST request.\n\n### Forged Request (Example):\n* **Method:** `POST`\n* **URL:** `http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin.php?page=mailchimp-sf` (inferred)\n* **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n* **Body:** `mailchimp_list=ATTACKER_LIST_ID_666&submit=Save Changes` (inferred)\n\n## 6. Test Data Setup\n1. **Install Plugin:** Install \"Mailchimp List Subscribe Form\" version 2.0.0.\n2. **Configuration:**\n * Set up a dummy Mailchimp API key (if required to reach the list selection screen).\n * Establish a \"Valid\" list ID (e.g., `original_list_123`).\n3. **Admin Access:** Ensure the execution agent has the administrator's cookies\u002Fsession.\n\n## 7. Expected Results\n* The server should return a `302 Redirect` or a `200 OK` indicating the settings were processed.\n* The request should succeed **without** providing a `_wpnonce` or `_wp_http_referer` parameter.\n* The internal WordPress option storing the Mailchimp list ID should be updated to the attacker's value.\n\n## 8. Verification Steps\nAfter sending the `http_request`, verify the change using WP-CLI:\n\n```bash\n# Check the value of the option (replace 'mailchimp_list_id' with the actual option name discovered)\nwp option get mailchimp_list_id\n```\n*Expected Output:* `ATTACKER_LIST_ID_666`\n\n## 9. Alternative Approaches\nIf the plugin uses a different method for saving settings (e.g., `options.php` or AJAX):\n\n* **AJAX Scenario:** If the function is hooked to `wp_ajax_mailchimp_change_list`, the request would target `\u002Fwp-admin\u002Fadmin-ajax.php` with the parameter `action=mailchimp_change_list`.\n* **Settings API Scenario:** If it's a standard settings page, the CSRF would target `\u002Fwp-admin\u002Foptions.php`, though WordPress Core usually protects this with `_wpnonce`. The vulnerability description specifically points to `mailchimp_sf_change_list_if_necessary()`, suggesting a custom, unprotected handler.\n\n### Discovery Phase (To refine parameters):\nBefore launching the exploit, the agent should run:\n```bash\n# Find where the vulnerable function is defined and what it does\ngrep -rn \"function mailchimp_sf_change_list_if_necessary\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fmailchimp\u002F\n# Find where it is hooked\ngrep -rn \"mailchimp_sf_change_list_if_necessary\" \u002Fvar\u002Fwww\u002Fhtml\u002Fwp-content\u002Fplugins\u002Fmailchimp\u002F\n```\nUse the output to confirm the exact `$_POST` parameter and `update_option` key.","The Mailchimp List Subscribe Form plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) due to a lack of nonce validation in the mailchimp_sf_change_list_if_necessary() function. This allows unauthenticated attackers to trick a logged-in administrator into changing the active Mailchimp list ID, effectively hijacking subscriber data and redirecting it to an attacker-controlled list.","\u002F\u002F Inferred from vulnerability description and research plan\n\u002F\u002F File: mailchimp.php\n\nfunction mailchimp_sf_change_list_if_necessary() {\n if ( isset( $_POST['mailchimp_list'] ) ) {\n \u002F\u002F VULNERABILITY: Missing check_admin_referer() or wp_verify_nonce() verification\n $new_list_id = sanitize_text_field( $_POST['mailchimp_list'] );\n update_option( 'mailchimp_list_id', $new_list_id ); \n }\n}","--- mailchimp.php\n+++ mailchimp.php\n@@ -1,6 +1,7 @@\n function mailchimp_sf_change_list_if_necessary() {\n if ( isset( $_POST['mailchimp_list'] ) ) {\n+ check_admin_referer( 'mailchimp_sf_list_change' );\n $new_list_id = sanitize_text_field( $_POST['mailchimp_list'] );\n update_option( 'mailchimp_list_id', $new_list_id ); \n }\n }","The exploit targets the plugin's administrative settings page and requires an authenticated administrator to interact with a malicious link or form. \n\n1. Target Endpoint: The administrator-facing settings page, typically located at `\u002Fwp-admin\u002Fadmin.php?page=mailchimp-sf`.\n2. Payload: An attacker crafts an HTML page containing an auto-submitting form (or a hidden form triggered via JavaScript) that performs a POST request to the target URL. \n3. Parameters: The request must include the parameter responsible for updating the list ID (e.g., `mailchimp_list`) set to an attacker-controlled Mailchimp list ID. \n4. Trigger: The attacker uses social engineering to trick a logged-in administrator into visiting the malicious page. \n5. Result: Since the plugin fails to verify a nonce, the WordPress backend processes the forged request, updates the list ID in the database, and redirects all future newsletter subscriptions to the attacker's Mailchimp account.","gemini-3-flash-preview","2026-04-19 03:49:38","2026-04-19 03:51:21",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","2.0.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmailchimp\u002Ftags\u002F2.0.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmailchimp.2.0.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmailchimp\u002Ftags\u002F2.0.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fmailchimp.2.0.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fmailchimp\u002Ftags"]