Skip to content

Security fix: prevent unauthenticated arbitrary list subscription (2.…#223

Merged
oleksandr-mykhailenko merged 2 commits into
masterfrom
DE-2028-wordplress-mailgun-security-plugin-fix
Jul 9, 2026
Merged

Security fix: prevent unauthenticated arbitrary list subscription (2.…#223
oleksandr-mykhailenko merged 2 commits into
masterfrom
DE-2028-wordplress-mailgun-security-plugin-fix

Conversation

@oleksandr-mykhailenko

Copy link
Copy Markdown
Collaborator

…2.1)

Add nonce verification and server-side list address allowlist validation to the add_list AJAX action. Previously the nopriv action accepted any list address and email without authentication or CSRF protection, allowing an unauthenticated attacker to enrol arbitrary addresses into the site owner's Mailgun lists using stored API credentials as a confused deputy. Reported by Pedro Pinho.

oleksandr-mykhailenko and others added 2 commits July 9, 2026 10:25
…2.1)

Add nonce verification and server-side list address allowlist validation
to the add_list AJAX action. Previously the nopriv action accepted any
list address and email without authentication or CSRF protection, allowing
an unauthenticated attacker to enrol arbitrary addresses into the site
owner's Mailgun lists using stored API credentials as a confused deputy.
Reported by Pedro Pinho.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Documents five changes that shipped in 2.2.0 but had no changelog
coverage: domain-part URL fix, key- prefix removal, PHP 8.4 nullable
type hints, swapped tracking labels fix, and WordPress 7.0 compatibility.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@oleksandr-mykhailenko oleksandr-mykhailenko merged commit 451a92b into master Jul 9, 2026
1 check failed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant