Fix - Provide CSRF hardening for Mailchimp List changes.

iamdharmesh · iamdharmesh · commit 6c73dcd33502 · 2026-01-09T02:37:51.000+05:30
diff --git a/mailchimp.php b/mailchimp.php
@@ -4,7 +4,7 @@
  * Plugin URI:        https://mailchimp.com/help/connect-or-disconnect-list-subscribe-for-wordpress/
  * Description:       Add a Mailchimp signup form block, widget or shortcode to your WordPress site.
  * Text Domain:       mailchimp
- * Version:           1.6.3
+ * Version:           1.6.4
  * Requires at least: 6.3
  * Requires PHP:      7.0
  * PHP tested up to:  8.3
@@ -65,7 +65,7 @@ function () {
 }
 
 // Version constant for easy CSS refreshes
-define( 'MCSF_VER', '1.6.3' );
+define( 'MCSF_VER', '1.6.4' );
 
 // What's our permission (capability) threshold
 define( 'MCSF_CAP_THRESHOLD', 'manage_options' );
@@ -589,15 +589,20 @@ function mailchimp_sf_change_list_if_necessary() {
 		return;
 	}
 
+	if (
+		! current_user_can( MCSF_CAP_THRESHOLD ) ||
+		! isset( $_POST['update_mc_list_id_nonce'] ) ||
+		! wp_verify_nonce( sanitize_key( $_POST['update_mc_list_id_nonce'] ), 'update_mc_list_id_action' )
+	) {
+		wp_die( 'Security check failed.' );
+	}
+
 	if ( empty( $_POST['mc_list_id'] ) ) {
 		$msg = '<p class="error_msg">' . esc_html__( 'Please choose a valid list', 'mailchimp' ) . '</p>';
 		mailchimp_sf_global_msg( $msg );
 		return;
 	}
 
-	// Simple permission check before going through all this
-	if ( ! current_user_can( MCSF_CAP_THRESHOLD ) ) { return; }
-
 	$api = mailchimp_sf_get_api();
 	if ( ! $api ) { return; }
 
diff --git a/readme.txt b/readme.txt
@@ -2,7 +2,7 @@
 Contributors: Mailchimp
 Tags:         mailchimp, email, newsletter, signup, marketing
 Tested up to: 6.7
-Stable tag:   1.6.3
+Stable tag:   1.6.4
 License:      GPL-2.0-or-later
 License URI:  https://spdx.org/licenses/GPL-2.0-or-later.html
 
@@ -81,6 +81,9 @@ If you are upgrading to version 1.2.1 and you used the widget in your sidebar pr
 
 == Changelog ==
 
+= 1.6.4 - 2026-01-08 =
+* **Fix:** Provide CSRF hardening for Mailchimp List changes.
+
 = 1.6.3 - 2025-01-30 =
 * **Added:** Transform the `mailchimp_sf_shortcode` shortcode to the Mailchimp List Subscribe Form block (props [@MaxwellGarceau](https://github.com/qasumitbagthariya), [@jeffpaul](https://github.com/vikrampm1), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya) via [#84](https://github.com/mailchimp/wordpress/pull/84)).
 * **Removed:** Deprecated Sopresto code (props [@MaxwellGarceau](https://github.com/qasumitbagthariya), [@jeffpaul](https://github.com/vikrampm1), [@dkotter](https://github.com/dkotter) via [#98](https://github.com/mailchimp/wordpress/pull/98)).
diff --git a/views/setup_page.php b/views/setup_page.php
@@ -104,6 +104,7 @@ function ( $ele ) {
 						</td>
 						<td>
 							<input type="hidden" name="mcsf_action" value="update_mc_list_id" />
+							<?php wp_nonce_field( 'update_mc_list_id_action', 'update_mc_list_id_nonce' ); ?>
 							<input type="submit" name="Submit" value="<?php esc_attr_e( 'Update List', 'mailchimp' ); ?>" class="button mailchimp-sf-button small" />
 						</td>
 					</tr>
