– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2025-12172:
The Mailchimp List Subscribe Form WordPress plugin contains a Cross-Site Request Forgery vulnerability in versions up to and including 2.0.0. This vulnerability allows unauthenticated attackers to change the configured Mailchimp list via a forged request, provided they can trick an administrator into clicking a malicious link. The CVSS 4.3 score reflects the requirement for administrator interaction.

The root cause is missing nonce validation in the mailchimp_sf_change_list_if_necessary() function. This function processes the ‘update_mc_list_id’ action without verifying the request originates from a legitimate user session. The vulnerable code resides in mailchimp/mailchimp.php at lines 531-533. The function checks only for the presence of the ‘mc_list_id’ parameter and user capability, completely omitting any CSRF protection mechanism.

Exploitation requires an attacker to craft a malicious link or form that submits a POST request to the WordPress admin area. The request must include the parameter ‘mcsf_action’ with value ‘update_mc_list_id’ and a ‘mc_list_id’ parameter containing the attacker’s desired Mailchimp list identifier. When an administrator with the ‘manage_options’ capability visits a page containing this malicious payload, their browser automatically submits the request, changing the plugin’s configured Mailchimp list without their knowledge or consent.

The patch adds proper nonce validation in version 2.0.1. The fix inserts a wp_nonce_field() call in mailchimp/includes/admin/templates/settings.php at line 95, generating a nonce named ‘update_mc_list_id_nonce’ for the action ‘update_mc_list_id_action’. The mailchimp_sf_change_list_if_necessary() function now validates this nonce at lines 534-540 before processing any list changes. The patch also adds missing text domains in several esc_html_e() calls and updates version numbers throughout the codebase.

Successful exploitation allows attackers to redirect form submissions to a Mailchimp list under their control. This enables data harvesting of all user emails and personal information submitted through the plugin’s forms. While the vulnerability requires administrator interaction, it represents a significant data leakage risk as attackers can silently capture sensitive subscriber information.