Unauthenticated Access Flaw in ElementsKit Lite WordPress Plugin
CVE-2026-23693

9.3CRITICAL

Key Information:

Vendor

WordPress
Status
Elementskit Elementor Addons – Advanced Widgets & Templates Addons For Elementor
Vendor
CVE Published:
23 February 2026

What is CVE-2026-23693?

The ElementsKit Lite WordPress plugin versions prior to 3.7.9 have a significant issue that exposes the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without requiring authentication. This vulnerability allows unauthenticated users to supply their own Mailchimp API credentials and bypass security measures, leading to insufficient validation of parameters. As a result, an attacker could exploit this endpoint to manipulate Mailchimp subscription data, disrupt API functionality, and impact server resources on the vulnerable WordPress site.

Affected Version(s)

ElementsKit Elementor Addons – Advanced Widgets & Templates Addons for Elementor 0 < 3.7.9

References

https://wordpress.org/plugins/elementskit-lite/
productpatch
https://wpmet.com/plugin/elementskit/
product
https://www.vulncheck.com/advisories/elementskit-lite-una...
third-party-advisory

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
Low
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Rahul Karne
VulnCheck
.