CVE-2026-1303

medium

Description

The MailChimp Campaigns plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.2.4. This is due to missing capability checks on the `mailchimp_campaigns_manager_disconnect_app` function that is hooked to the AJAX action of the same name. This makes it possible for authenticated attackers, with Subscriber-level access and above, to disconnect the site from its MailChimp synchronization app, disrupting automated email campaigns and marketing integrations.

References

https://www.wordfence.com/threat-intel/vulnerabilities/id/c2057ec2-9f03-4ae9-b200-aa5a318b461e?source=cve

https://plugins.trac.wordpress.org/browser/olalaweb-mailchimp-campaign-manager/trunk/mailchimp-campaigns-manager.php#L636

https://plugins.trac.wordpress.org/browser/olalaweb-mailchimp-campaign-manager/tags/3.2.4/mailchimp-campaigns-manager.php#L636

Details

Source: Mitre, NVD

Published: 2026-02-14

Updated: 2026-02-14

Risk Information

CVSS v2

Base Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N

Severity: Medium

CVSS v3

Base Score: 5.3

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Severity: Medium

EPSS

EPSS: 0.00026