Today an update was released for the 2+ million active installation WordPress plugin MC4WP: Mailchimp for WordPress, which suggests that a security change had been made, as it reads “Forms: Don’t show form preview to users without edit_posts capability.”. As at least one of our customers is using the plugin, we checked in on that and found that there was a minor security issue addressed.

As suggested by the changelog, the update did add a check to restrict access to seeing a preview of a form from the plugin to those with the edit_posts capability. Prior to that, anyone could see the preview, including those not logged in to WordPress. Unless there is information included in a form that isn’t meant to be seen by everyone, there wouldn’t be a security risk in that.

The permission required is worth noting. The plugin’s admin pages are normally only accessible to users with the manage_options capability, which only Administrators normally have. By comparison, the edit_posts capability is available to users with roles down to Contributor. That seems like a mismatch, but the form can also be seen through a shortcode, which means that Contributors and above can see a preview without accessing the functionality that was changed.

Proof of Concept

The following proof of concept will show the preview of a form.

Make sure to replace “[path to WordPress]” with the location of WordPress “[form_id]” with the ID of a form from the plugin.

http://[path to WordPress]/?mc4wp_preview_form=[form_id]

---

Plugin Security Scorecard Grade for MC4WP: Mailchimp for WordPress

Checked on March 14, 2025

See issues causing the plugin to get less than A+ grade