WP-Safety
CVE-2026-25420

MailerLite – Signup forms (official) <= 1.7.18 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.7.19
Patched in
97d
Time to patch

Description

The MailerLite – Signup forms (official) plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.7.18. This makes it possible for authenticated attackers, with Contributor-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.7.18
PublishedJanuary 28, 2026
Last updatedMay 4, 2026
Affected pluginofficial-mailerlite-sign-up-forms

What Changed in the Fix

Changes introduced in v1.7.19

Loading patch diff...

Source Code

WordPress.org SVN
Vulnerable v1.7.18
Browse source Download .zip
Patched v1.7.19
Browse source Download .zip
Research Plan
Unverified

# CVE-2026-25420 - MailerLite Signup Forms Authorization Bypass Research Plan ## 1. Vulnerability Summary The **MailerLite – Signup forms (official)** plugin (<= 1.7.18) contains a missing authorization vulnerability. While the plugin aims to allow specific roles to manage forms (introduced in vers…

Show full research plan

CVE-2026-25420 - MailerLite Signup Forms Authorization Bypass Research Plan

1. Vulnerability Summary

The MailerLite – Signup forms (official) plugin (<= 1.7.18) contains a missing authorization vulnerability. While the plugin aims to allow specific roles to manage forms (introduced in version 1.7.0), it fails to properly enforce capability checks on administrative functions, particularly those handled in src/Controllers/AdminController.php. This allows authenticated users with Contributor-level permissions to perform unauthorized actions such as creating or modifying signup forms, which should typically be restricted to administrators or specific authorized roles.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin.php?page=mailerlite_main
  • Trigger: The AdminController::forms() method is used to process form creation and editing. If this logic is hooked to admin_init or if the menu page registration uses a broad capability (like edit_posts or read), Contributors can trigger the processing logic.
  • Payload Parameters:
    • view=create (GET)
    • create_signup_form=1 (POST)
    • form_type=1 (POST - Custom) or 2 (POST - Embedded)
  • Authentication: Authenticated, Contributor-level access.
  • Preconditions: A valid MailerLite API key must be
Research Findings
Static analysis — not yet PoC-verified

Summary

The MailerLite – Signup forms (official) plugin for WordPress fails to implement proper capability checks within its AdminController, specifically in the form management logic. This allows authenticated users with Contributor-level permissions or higher to perform unauthorized actions, such as deleting existing signup forms.

Vulnerable Code

// src/Controllers/AdminController.php line 323
        } // Delete signup form view
        elseif ( isset( $_GET['view'] ) && isset( $_GET['id'] )
                 && $_GET['view'] == 'delete'
                 && absint( $_GET['id'] ) ) {
            $wpdb->delete(
                $wpdb->base_prefix . 'mailerlite_forms', [ 'id' => absint( $_GET['id'] ) ]
            );
--- 
// src/Controllers/AdminController.php line 345
        // Create new signup form view
        if ( isset( $_GET['view'] ) && $_GET['view'] == 'create' ) {

            if ( isset( $_POST['create_signup_form'] ) ) {

                ( new Form() )->create_new_form( $_POST );

                wp_redirect(
                    'admin.php?page=mailerlite_main&view=edit&id='
                    . $wpdb->insert_id
                );

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/official-mailerlite-sign-up-forms/1.7.18/src/Controllers/AdminController.php /home/deploy/wp-safety.org/data/plugin-versions/official-mailerlite-sign-up-forms/1.7.19/src/Controllers/AdminController.php
--- /home/deploy/wp-safety.org/data/plugin-versions/official-mailerlite-sign-up-forms/1.7.18/src/Controllers/AdminController.php\t2025-12-10 08:22:54.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/official-mailerlite-sign-up-forms/1.7.19/src/Controllers/AdminController.php\t2026-02-17 12:18:46.000000000 +0000
@@ -323,7 +323,8 @@
         } // Delete signup form view
         elseif ( isset( $_GET['view'] ) && isset( $_GET['id'] )
                  && $_GET['view'] == 'delete'
-                 && absint( $_GET['id'] ) ) {
+                 && absint( $_GET['id'] )
+                 && current_user_can( 'manage_options' )) {
             $wpdb->delete(
                 $wpdb->base_prefix . 'mailerlite_forms', [ 'id' => absint( $_GET['id'] ) ]
             );

Exploit Outline

The exploit target is the AdminController::forms() method, which is accessible via the WordPress admin dashboard. An attacker with Contributor-level access (which typically has limited admin menu access) can bypass intended restrictions by sending requests directly to the MailerLite management page. To delete a form, the attacker sends a GET request to /wp-admin/admin.php?page=mailerlite_main&view=delete&id={FORM_ID}. Because the plugin (prior to 1.7.19) lacks a capability check (current_user_can) in the delete logic branch, the database operation is executed regardless of the user's actual administrative privileges.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/fc7e68e7-6792-419d-800b-f1bc340f23fb?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database