A critical unauthenticated REST API vulnerability in the ElementsKit Lite WordPress plugin allows attackers to hijack Mailchimp API credentials and perform unauthorized actions.

The /wp-json/elementskit/v1/widget/mailchimp/subscribe endpoint is exposed without any authentication requirement. An unauthenticated attacker can supply their own Mailchimp API credentials and use the server as an open proxy to manipulate subscription data or exhaust API quotas.

This vulnerability can lead to the exhaustion of Mailchimp API limits, manipulation of marketing databases, and significant resource consumption on the host WordPress site. With a CVSS score of 10.0, this is a maximum-severity flaw that could also lead to reputational damage if the site is used for spam.

Immediate Action: Update the ElementsKit Lite plugin to version 3.7.9 or later immediately to restrict access to the vulnerable REST endpoint.

Proactive Monitoring: Review WordPress access logs for high volumes of requests to the /wp-json/elementskit/v1/widget/mailchimp/subscribe endpoint.

Compensating Controls: Use a Web Application Firewall (WAF) to block unauthenticated requests to the specific REST API endpoint until the plugin can be updated.

Public Exploit Available: false

With a CVSS score of 10.0, this is an urgent security matter. Administrators should prioritize updating this plugin across all managed WordPress sites to prevent unauthorized use of their infrastructure as an attack proxy.