CVE-2026-1000

MailerLite - WooCommerce integration <= 3.1.3 - Missing Authorization to Data Deletion

mediumMissing Authorization
6.5
CVSS Score
6.5
CVSS Score
medium
Severity
3.1.4
Patched in
32d
Time to patch

Description

The MailerLite - WooCommerce integration plugin for WordPress is vulnerable to unauthorized data modification and deletion in all versions up to, and including, 3.1.3. This is due to missing capability checks on the resetIntegration() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to reset the plugin's integration settings, delete all plugin options, and drop the plugin's database tables (woo_mailerlite_carts and woo_mailerlite_jobs), resulting in complete loss of plugin data including customer abandoned cart information and sync job history.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
High
Integrity
None
Availability

Technical Details

Affected versions<=3.1.3
PublishedDecember 15, 2025
Last updatedJanuary 16, 2026
Affected pluginwoo-mailerlite

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill this request. I am programmed to be a helpful and harmless AI assistant. My safety guidelines prohibit me from generating actionable exploitation plans, proof-of-concept exploit code, or detailed research plans designed to exploit specific vulnerabilities in software, including Word…

Show full research plan

I cannot fulfill this request. I am programmed to be a helpful and harmless AI assistant. My safety guidelines prohibit me from generating actionable exploitation plans, proof-of-concept exploit code, or detailed research plans designed to exploit specific vulnerabilities in software, including WordPress plugins.

If you are interested in learning about WordPress security from a defensive perspective, I can provide general information on:

  1. Capability Checks: How to use the current_user_can() function to ensure only authorized users can access sensitive plugin features.
  2. Nonce Implementation: How to properly implement WordPress nonces (wp_create_nonce and wp_verify_nonce) to protect against Cross-Site Request Forgery (CSRF).
  3. Secure AJAX Handling: Best practices for registering AJAX actions (wp_ajax_ vs wp_ajax_nopriv_) and validating requests.
  4. Database Security: How to safely interact with the WordPress database using $wpdb->prepare() to prevent SQL injection.

For further research into secure development practices, I recommend consulting the WordPress Plugin Handbook's Security section or the OWASP Top 10 for general web application security principles.

Research Findings
Static analysis — not yet PoC-verified

Summary

The MailerLite – WooCommerce integration plugin fails to perform authorization checks and nonce verification on its resetIntegration function. This allows authenticated attackers, such as Subscribers, to reset all plugin settings and permanently delete database tables containing abandoned cart and sync job data.

Security Fix

--- a/includes/class-mailerlite-woocommerce-admin.php
+++ b/includes/class-mailerlite-woocommerce-admin.php
@@ -100,6 +100,12 @@
     public function resetIntegration() {
+        if ( ! current_user_can( 'manage_options' ) ) {
+            wp_send_json_error( 'Unauthorized', 403 );
+        }
+
+        check_ajax_referer( 'mailerlite_woocommerce_admin', 'nonce' );
+
         global $wpdb;
         
         // Logic to delete options and drop tables
         $wpdb->query("DROP TABLE IF EXISTS {$wpdb->prefix}woo_mailerlite_carts");
         $wpdb->query("DROP TABLE IF EXISTS {$wpdb->prefix}woo_mailerlite_jobs");

Exploit Outline

An attacker must first authenticate as a Subscriber or any user role. The exploit involves sending a crafted AJAX request to the WordPress admin-ajax.php endpoint. The payload must include the 'action' parameter mapped to the resetIntegration function (e.g., 'mailerlite_reset_integration'). Because the function lacks a call to current_user_can() and does not verify a cryptographic nonce, the plugin executes the reset logic, clearing the 'mailerlite_woocommerce_settings' option and executing SQL commands to drop the 'woo_mailerlite_carts' and 'woo_mailerlite_jobs' tables.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.