Security update: CSRF vulnerability fixed in version 4.8.5

On June 1st we released version 4.8.5 of Mailchimp for WordPress, which fixes a CSRF (Cross-Site Request Forgery) vulnerability. If you haven’t updated yet, please do so now.

What was the issue?

CSRF is an attack where a malicious website tricks a logged-in user into unknowingly performing an action on a different site. In this case, a specially crafted page could have caused a logged-in WordPress administrator to perform administrative actions in the Mailchimp for WordPress plugin — like deleting log entries or refreshing the Mailchimp list cache — without realising it.

The fix was to add nonce verification to all URLs that use the _mc4wp_action query parameter. A nonce is a one-time token tied to the user’s session. Without it, the server now rejects requests that didn’t originate from the legitimate admin interface.

Who was affected?

Only WordPress administrators were at risk, and only if they could be lured to a malicious page while logged in. No subscriber data was accessible through this vulnerability.

Credit

A special thank you to Erwan from WPScan for responsibly disclosing this issue to us. We were able to fix and release the update within a few days of the report.

What should you do?

Update to version 4.8.5 or later. You can do this from the Plugins screen in your WordPress admin area, or by downloading the latest version from WordPress.org.

If you have any questions, feel free to contact us.