LeakyCreds
NewInstant webhook alerts now available — notified within seconds of any credential detection.Learn more →
Home / Vulnerability Intelligence / CVE-2026-23693

CVE-2026-23693 - Vulnerability Analysis

CriticalCVSS: 10.0

Last Updated: February 24, 2026

ElementsKit Lite - Broken Access Control

Published: February 23, 2026Updated: February 24, 2026Remote Exploitable

Overview

ElementsKit Lite WordPress plugin < 3.7.9 contains an open proxy vulnerability caused by insufficient validation of parameters in the /wp-json/elementskit/v1/widget/mailchimp/subscribe REST endpoint, letting unauthenticated attackers trigger unauthorized Mailchimp API calls and resource exhaustion, exploit requires no authentication.

Severity & Score

Severity: Critical
CVSS Score: 10.0
EPSS Score: 14.9%(Probability of exploitation in next 30 days)

Impact

Unauthenticated attackers can trigger unauthorized API calls, manipulate subscription data, exhaust API quotas, and cause resource consumption on the WordPress site.

Mitigation

Update to version 3.7.9 or later.

References

Social Media Activity(3 posts)

Yazoul Alerts
Yazoul Alerts
@Matchbook3469
Feb 24, 2026

🔴 New security advisory: CVE-2026-23693 affects multiple systems. • Impact: Remote code execution or complete system compromise possible • Risk: Attackers can gain full control of affected systems • Mitigation: Patch immediately or isolate affected systems Full breakdown: https://yazoul.net/advisory/cve/cve-2026-23693 #Cybersecurity #VulnerabilityManagement #CyberSec

View original post
Offensive Sequence
Offensive Sequence
@offseq
Feb 24, 2026

⚠️ CVE-2026-23693 (CRITICAL, CVSS 9.3) in ElementsKit Lite <3.7.9 exposes a Mailchimp REST endpoint to unauth’d abuse — risking API quota exhaustion & data manipulation. Patch ASAP & block /wp-json/elementskit/v1/widget/mailchimp/subscribe. https://radar.offseq.com/threat/cve-2026-23693-cwe-306-missing-authentication-for--873ad830 #OffSeq #WordPress #Vuln

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Feb 23, 2026

🔴 CVE-2026-23693 - Critical (10) ElementsKit Lite (elementskit-lite) WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API credentials and ins... 🔗 https://www.thehackerwire.com/vulnerability/CVE-2026-23693/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-23693
Severity
Critical
CVSS Score
10.0
Type
broken_access_control
Status
unconfirmed
EPSS
14.9%
Social Posts
3

CWE

  • CWE-306

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H

EPSS Score

14.9%Probability of exploitation in the next 30 days