Login

Tag Archives: MC4WP: Mailchimp for WordPress

Plugin Security Scorecard Grade for MC4WP: Mailchimp for WordPress

Checked on March 14, 2025
B

See issues causing the plugin to get less than A+ grade

30 May 2025

Plugin Vulnerabilities Customers Helped Make WordPress Plugins More Secure, Week of May 30

Our customers provide us with the ability to help make WordPress plugins more secure. Mostly, with plugins they use, but to a lesser extent other plugins. That work often goes unmentioned. So we are highlighting that to help to better understand what is going on and how signing up for our service can help to expand that work.

Vulnerability That Went Unfixed for 9 Months in 2+ Million Install Plugin Fixed

Last week, we checked on an attempt to fix a vulnerability in the 2+ million install MC4WP: Mailchimp for WordPress and found the developer had incorrectly fixed the instance of the issue they attempted to fix. And they had failed to fix another instance entirely. That had happened 9 months ago. Unfortunately, other WordPress security providers who claim to have security experts that check over vulnerability claims either didn’t vet this or missed both of those issues. We checked on that attempted fix because at least one of our customers started using the plugin. We reached out to the developer and this week they fixed the issue. [Read more]

19 May 2025

Wordfence Missed That Authenticated Persistent XSS Vulnerability in 2+ Million Install MC4WP: Mailchimp for WordPress Wasn’t Fixed

Back in September, the developer of the 2+ million WordPress plugin MC4WP: Mailchimp for WordPress and Wordfence claimed that a minor vulnerability had been fixed. The fix was obviously incomplete and it turns out the issue is wider than that.

[Read more]

20 Nov 2023

Latest Version of 2+ Million Install MC4WP: Mailchimp for WordPress Fixes Minor Security Issue

Today an update was released for the 2+ million active installation WordPress plugin MC4WP: Mailchimp for WordPress, which suggests that a security change had been made, as it reads “Forms: Don’t show form preview to users without edit_posts capability.”. As at least one of our customers is using the plugin, we checked in on that and found that there was a minor security issue addressed.

As suggested by the changelog, the update did add a check to restrict access to seeing a preview of a form from the plugin to those with the edit_posts capability. Prior to that, anyone could see the preview, including those not logged in to WordPress. Unless there is information included in a form that isn’t meant to be seen by everyone, there wouldn’t be a security risk in that. [Read more]