Fix - Provide CSRF hardening for Mailchimp List changes.

iamdharmesh · iamdharmesh · commit 416253ec3791 · 2026-01-09T02:45:05.000+05:30
diff --git a/mailchimp.php b/mailchimp.php
@@ -4,7 +4,7 @@
  * Plugin URI:        https://mailchimp.com/help/connect-or-disconnect-list-subscribe-for-wordpress/
  * Description:       Add a Mailchimp signup form block, widget or shortcode to your WordPress site.
  * Text Domain:       mailchimp
- * Version:           1.8.0
+ * Version:           1.8.1
  * Requires at least: 6.4
  * Requires PHP:      7.0
  * PHP tested up to:  8.3
@@ -67,7 +67,7 @@ function () {
 use function Mailchimp\WordPress\Includes\Admin\{admin_notice_error, admin_notice_success};
 
 // Version constant for easy CSS refreshes
-define( 'MCSF_VER', '1.8.0' );
+define( 'MCSF_VER', '1.8.1' );
 
 // What's our permission (capability) threshold
 define( 'MCSF_CAP_THRESHOLD', 'manage_options' );
@@ -564,15 +564,20 @@ function mailchimp_sf_change_list_if_necessary() {
 		return;
 	}
 
+	if (
+		! current_user_can( MCSF_CAP_THRESHOLD ) ||
+		! isset( $_POST['update_mc_list_id_nonce'] ) ||
+		! wp_verify_nonce( sanitize_key( $_POST['update_mc_list_id_nonce'] ), 'update_mc_list_id_action' )
+	) {
+		wp_die( 'Security check failed.' );
+	}
+
 	if ( empty( $_POST['mc_list_id'] ) ) {
 		$msg = esc_html__( 'Please choose a valid list', 'mailchimp' );
 		admin_notice_error( $msg );
 		return;
 	}
 
-	// Simple permission check before going through all this
-	if ( ! current_user_can( MCSF_CAP_THRESHOLD ) ) { return; }
-
 	$api = mailchimp_sf_get_api();
 	if ( ! $api ) { return; }
 
diff --git a/readme.txt b/readme.txt
@@ -2,7 +2,7 @@
 Contributors: Mailchimp
 Tags:         mailchimp, email, newsletter, signup, marketing
 Tested up to: 6.8
-Stable tag:   1.8.0
+Stable tag:   1.8.1
 License:      GPL-2.0-or-later
 License URI:  https://spdx.org/licenses/GPL-2.0-or-later.html
 
@@ -81,6 +81,9 @@ If you are upgrading to version 1.2.1 and you used the widget in your sidebar pr
 
 == Changelog ==
 
+= 1.8.1 - 2026-01-08 =
+* **Fix:** Provide CSRF hardening for Mailchimp List changes.
+
 = 1.8.0 - 2025-05-08 =
 **Note that this release bumps the WordPress minimum version from 6.3 to 6.4.**
 
diff --git a/views/setup_page.php b/views/setup_page.php
@@ -88,6 +88,7 @@ function ( $ele ) {
 						</td>
 						<td>
 							<input type="hidden" name="mcsf_action" value="update_mc_list_id" />
+							<?php wp_nonce_field( 'update_mc_list_id_action', 'update_mc_list_id_nonce' ); ?>
 							<input type="submit" name="Submit" value="<?php esc_attr_e( 'Update List', 'mailchimp' ); ?>" class="button mailchimp-sf-button small" />
 						</td>
 					</tr>
