diff --git a/CHANGELOG.md b/CHANGELOG.md
index c2fec05..c86e86e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,17 @@ All notable changes to this project will be documented in this file, per [the Ke
 
 ## [Unreleased] - TBD
 
+## [2.0.1] - 2026-01-08
+
+### Fixed
+
+- Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+- Plugin check plugin errors to improve overall codebase (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+
+### Changed
+
+- Bump WordPress "tested up to" version 6.9 (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+
 ## [2.0.0] - 2025-08-11
 
 ### Added
@@ -33,6 +44,12 @@ All notable changes to this project will be documented in this file, per [the Ke
 
 - Update 10up-toolkit from 6.2.0 to 6.5.0 (props [@iamdharmesh](https://github.com/iamdharmesh), [@dkotter](https://github.com/dkotter) via [#174](https://github.com/mailchimp/wordpress/pull/174)).
 
+## [1.9.1] - 2026-01-08
+
+### Fixed
+
+- Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+
 ## [1.9.0] - 2025-06-04
 
 ### Added
@@ -43,6 +60,13 @@ All notable changes to this project will be documented in this file, per [the Ke
 
 - Improved the enqueueing of JavaScript scripts and styles (props [@iamdharmesh](https://github.com/iamdharmesh), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya) via [#161](https://github.com/mailchimp/wordpress/pull/161)).
 
+## [1.8.1] - 2026-01-08
+
+### Fixed
+
+- Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+
+
 ## [1.8.0] - 2025-05-08
 
 **Note that this release bumps the WordPress minimum version from 6.3 to 6.4.**
@@ -58,6 +82,12 @@ All notable changes to this project will be documented in this file, per [the Ke
 - Bump WordPress "tested up to" version 6.8 (props [@qasumitbagthariya](https://github.com/qasumitbagthariya), [@dkotter](https://github.com/dkotter) via [#148](https://github.com/mailchimp/wordpress/pull/148)).
 - Bump WordPress minimum supported version from 6.3 to 6.4 (props [@qasumitbagthariya](https://github.com/qasumitbagthariya), [@dkotter](https://github.com/dkotter) via [#148](https://github.com/mailchimp/wordpress/pull/148)).
 
+## [1.7.1] - 2026-01-08
+
+### Fixed
+
+- Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+
 ## [1.7.0] - 2025-04-08
 
 ### Changed
@@ -91,6 +121,12 @@ All notable changes to this project will be documented in this file, per [the Ke
 - Update all third-party actions our workflows rely on to use versions based on specific commit hashes (props [@dkotter](https://github.com/dkotter), [@jeffpaul](https://github.com/jeffpaul), [@iamdharmesh](https://github.com/iamdharmesh) via [#128](https://github.com/mailchimp/wordpress/pull/128)).
 - Prevent overwriting the release content with the body text provided in the GitHub Action workflow file (props [@iamdharmesh](https://github.com/iamdharmesh), [@dkotter](https://github.com/dkotter) via [#129](https://github.com/mailchimp/wordpress/pull/129)).
 
+## [1.6.4] - 2026-01-08
+
+### Fixed
+
+- Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+
 ## [1.6.3] - 2025-01-30
 
 ### Added
@@ -209,6 +245,13 @@ All notable changes to this project will be documented in this file, per [the Ke
 - Added ESLint GitHub Action Workflow (props [@dkotter](https://github.com/dkotter), [@jeffpaul](https://github.com/jeffpaul) via [#20](https://github.com/mailchimp/wordpress/pull/20)).
 - Added Standard GitHub Action Workflows (props [@dkotter](https://github.com/dkotter), [@jeffpaul](https://github.com/jeffpaul) via [#21](https://github.com/mailchimp/wordpress/pull/21)).
 
+## 1.5.9 - 2026-01-08
+
+### Fixed
+
+- Provide CSRF hardening for Mailchimp List changes.
+
+
 ## 1.5.8 - 2022-09-26
 
 ### Changed
@@ -352,10 +395,15 @@ All notable changes to this project will be documented in this file, per [the Ke
 - Security and various other improvements
 
 [Unreleased]: https://github.com/mailchimp/wordpress/compare/main...develop
+[2.0.1]: https://github.com/mailchimp/wordpress/compare/2.0.0...2.0.1
 [2.0.0]: https://github.com/mailchimp/wordpress/compare/1.9.0...2.0.0
+[1.9.1]: https://github.com/mailchimp/wordpress/compare/1.9.0...1.9.1
 [1.9.0]: https://github.com/mailchimp/wordpress/compare/1.8.0...1.9.0
+[1.8.1]: https://github.com/mailchimp/wordpress/compare/1.8.0...1.8.1
 [1.8.0]: https://github.com/mailchimp/wordpress/compare/1.7.0...1.8.0
+[1.7.1]: https://github.com/mailchimp/wordpress/compare/1.7.0...1.7.1
 [1.7.0]: https://github.com/mailchimp/wordpress/compare/1.6.3...1.7.0
+[1.6.4]: https://github.com/mailchimp/wordpress/compare/1.6.3...1.6.4
 [1.6.3]: https://github.com/mailchimp/wordpress/compare/1.6.2...1.6.3
 [1.6.2]: https://github.com/mailchimp/wordpress/compare/1.6.1...1.6.2
 [1.6.1]: https://github.com/mailchimp/wordpress/compare/1.6.0...1.6.1
diff --git a/CREDITS.md b/CREDITS.md
index 1f7f488..f2f6786 100644
--- a/CREDITS.md
+++ b/CREDITS.md
@@ -12,7 +12,7 @@ The following individuals are responsible for curating the list of issues, respo
 
 Thank you to all the people who have already contributed to this repository via bug reports, code, design, ideas, project management, translation, testing, etc.
 
-[Mailchimp (@mailchimp)](https://github.com/mailchimp), [Crowd Favorite (@crowdfavorite)](https://github.com/crowdfavorite), [Matthew Richmond (@bigdawggi)](https://github.com/bigdawggi), [Devin Reams (@devinreams)](https://github.com/devinreams), [Alex King (@alexkingorg)](https://github.com/alexkingorg), [Jesse (@jessedp)](https://github.com/jessedp), [Andrew Ellis](awellis@me.com), [Evan Anderson (@ejdanderson)](https://github.com/ejdanderson), [Webb Henderson (@emerywebster)](https://github.com/emerywebster), [Steven Mathias (@ssmathias)](https://github.com/ssmathias), [Jonathan D. Johnson (@jondavidjohn)](https://github.com/jondavidjohn), [Ross Tweedie (@digitales)](https://github.com/digitales), [(@mcwill)](https://github.com/mcwill), [Andrew Austin (@andrewjaustin)](https://github.com/andrewjaustin), [Marc Queralt i Bassa (@MarcQueralt)](https://github.com/MarcQueralt), [Chris Mospaw (@mospaw)](https://github.com/mospaw), [Jonas Stensved (@jstensved)](https://github.com/jstensved), [netboy](netboy@netboy.pl), [Lenin](lenin@tasawr.com), [Bauke Zwaan (@baukezwaan)](https://github.com/baukezwaan), [Jascha Ehrenreich (@jaeh)](https://github.com/jaeh), [Chris Wilcoxson (@slushman)](https://github.com/slushman), [Luke Watts (@thisislawatts)](https://github.com/thisislawatts), [Glenn Ansley (@glennansley)](https://github.com/glennansley), [SiteGround](http://www.siteground.com/wordpress-hosting.htm), [Peter Kahoun](http://kahi.cz/), [Jan Lund](), [Michael Jaekel](), [Ιωάννης Δημοφέρλιας (John Dimoferlias)](), [Tomás Nader](), [Claudia Mansilla](http://cricava.com/), [Helen Urbanik](http://www.motomaania.ee/), [Maxime Toulliou](http://www.maximetoulliou.com/), [שגיב בית](http://www.sagive.co.il), [Okostobi](), [Stefan Des](http://www.stefandes.com), [백선기 (SK Baek)](), [Alexander Roterud aka Defrag](http://www.tigerpews.com), [Filip Stas](http://suddenelfilio.net/), [Maria Manoela Porto](), [Tiago Faria](http://xroot.org), [Alexandru Armin Roșu](), [Илья](http://fatcow.com), [Sebastian Johnsson](http://www.agiley.se/), [Hakan E.](http://kazancexpert.com/), [Josh Grosser (@jgrosser-intuit)](https://github.com/jgrosser-intuit), [10up (@10up)](https://github.com/10up), [Nate Conley (@nateconley)](https://github.com/nateconley), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Eddie Shrake (@eddieshrake)](https://github.com/eddieshrake), [Sumit Bagthariya (@qasumitbagthariya)](https://github.com/qasumitbagthariya), [Vikram Moparthy (@vikrampm1)](https://github.com/vikrampm1), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [GitHub Dependabot (@dependabot)](https://github.com/apps/dependabot), [Jer Clarke (@jerclarke)](https://github.com/jerclarke), [Max Garceau (@MaxwellGarceau)](https://github.com/MaxwellGarceau), [Nathan Tetzlaff](), [Romain Deville](https://www.linkedin.com/in/devilleromain/).
+[Mailchimp (@mailchimp)](https://github.com/mailchimp), [Crowd Favorite (@crowdfavorite)](https://github.com/crowdfavorite), [Matthew Richmond (@bigdawggi)](https://github.com/bigdawggi), [Devin Reams (@devinreams)](https://github.com/devinreams), [Alex King (@alexkingorg)](https://github.com/alexkingorg), [Jesse (@jessedp)](https://github.com/jessedp), [Andrew Ellis](awellis@me.com), [Evan Anderson (@ejdanderson)](https://github.com/ejdanderson), [Webb Henderson (@emerywebster)](https://github.com/emerywebster), [Steven Mathias (@ssmathias)](https://github.com/ssmathias), [Jonathan D. Johnson (@jondavidjohn)](https://github.com/jondavidjohn), [Ross Tweedie (@digitales)](https://github.com/digitales), [(@mcwill)](https://github.com/mcwill), [Andrew Austin (@andrewjaustin)](https://github.com/andrewjaustin), [Marc Queralt i Bassa (@MarcQueralt)](https://github.com/MarcQueralt), [Chris Mospaw (@mospaw)](https://github.com/mospaw), [Jonas Stensved (@jstensved)](https://github.com/jstensved), [netboy](netboy@netboy.pl), [Lenin](lenin@tasawr.com), [Bauke Zwaan (@baukezwaan)](https://github.com/baukezwaan), [Jascha Ehrenreich (@jaeh)](https://github.com/jaeh), [Chris Wilcoxson (@slushman)](https://github.com/slushman), [Luke Watts (@thisislawatts)](https://github.com/thisislawatts), [Glenn Ansley (@glennansley)](https://github.com/glennansley), [SiteGround](http://www.siteground.com/wordpress-hosting.htm), [Peter Kahoun](http://kahi.cz/), [Jan Lund](), [Michael Jaekel](), [Ιωάννης Δημοφέρλιας (John Dimoferlias)](), [Tomás Nader](), [Claudia Mansilla](http://cricava.com/), [Helen Urbanik](http://www.motomaania.ee/), [Maxime Toulliou](http://www.maximetoulliou.com/), [שגיב בית](http://www.sagive.co.il), [Okostobi](), [Stefan Des](http://www.stefandes.com), [백선기 (SK Baek)](), [Alexander Roterud aka Defrag](http://www.tigerpews.com), [Filip Stas](http://suddenelfilio.net/), [Maria Manoela Porto](), [Tiago Faria](http://xroot.org), [Alexandru Armin Roșu](), [Илья](http://fatcow.com), [Sebastian Johnsson](http://www.agiley.se/), [Hakan E.](http://kazancexpert.com/), [Josh Grosser (@jgrosser-intuit)](https://github.com/jgrosser-intuit), [10up (@10up)](https://github.com/10up), [Nate Conley (@nateconley)](https://github.com/nateconley), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Eddie Shrake (@eddieshrake)](https://github.com/eddieshrake), [Sumit Bagthariya (@qasumitbagthariya)](https://github.com/qasumitbagthariya), [Vikram Moparthy (@vikrampm1)](https://github.com/vikrampm1), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [GitHub Dependabot (@dependabot)](https://github.com/apps/dependabot), [Jer Clarke (@jerclarke)](https://github.com/jerclarke), [Max Garceau (@MaxwellGarceau)](https://github.com/MaxwellGarceau), [Nathan Tetzlaff](), [Romain Deville](https://www.linkedin.com/in/devilleromain/), [@joemcgill](https://github.com/joemcgill).
 
 ## Libraries
 
diff --git a/includes/admin/class-mailchimp-user-sync.php b/includes/admin/class-mailchimp-user-sync.php
index 467b185..0f58aed 100644
--- a/includes/admin/class-mailchimp-user-sync.php
+++ b/includes/admin/class-mailchimp-user-sync.php
@@ -325,7 +325,8 @@ public function subscriber_status_field() {
 					_n(
 						'You will need %1$sa Mailchimp plan%2$s that includes %3$d contact.',
 						'You will need %1$sa Mailchimp plan%2$s that includes %3$d contacts.',
-						absint( $users_count )
+						absint( $users_count ),
+						'mailchimp'
 					),
 					'<a href="https://mailchimp.com/help/about-mailchimp-pricing-plans/" target="_blank" rel="noopener noreferrer">',
 					'</a>',
diff --git a/includes/admin/templates/settings.php b/includes/admin/templates/settings.php
index 555dec0..b657841 100644
--- a/includes/admin/templates/settings.php
+++ b/includes/admin/templates/settings.php
@@ -94,6 +94,7 @@ function ( $ele ) {
 									</div>
 									<div class="mailchimp-sf-settings-list-select-button">
 										<input type="hidden" name="mcsf_action" value="update_mc_list_id" />
+										<?php wp_nonce_field( 'update_mc_list_id_action', 'update_mc_list_id_nonce' ); ?>
 										<input type="submit" name="submit" value="<?php esc_attr_e( 'Fetch list settings', 'mailchimp' ); ?>" class="mailchimp-sf-button btn-secondary" />
 									</div>
 								</div>
diff --git a/includes/admin/templates/setup-page.php b/includes/admin/templates/setup-page.php
index b24c5b5..b2ce2c2 100644
--- a/includes/admin/templates/setup-page.php
+++ b/includes/admin/templates/setup-page.php
@@ -224,7 +224,7 @@
 							<tr>
 								<th class="mailchimp-sf-option-header">
 									<label for="mc_nuke_all_styles">
-										<?php esc_html_e( 'Remove CSS' ); ?>
+										<?php esc_html_e( 'Remove CSS', 'mailchimp' ); ?>
 									</label>
 								</th>
 								<td>
@@ -234,7 +234,7 @@
 											<input type="checkbox" name="mc_nuke_all_styles" id="mc_nuke_all_styles" class="mailchimp-sf-checkbox" <?php checked( get_option( 'mc_nuke_all_styles' ), true ); ?> onclick="showMe('mc-custom-styling')"/>
 										</div>
 										<label for="mc_nuke_all_styles">
-											<?php esc_html_e( 'This will disable all Mailchimp CSS, so it\'s recommended for WordPress experts only.' ); ?>
+											<?php esc_html_e( 'This will disable all Mailchimp CSS, so it\'s recommended for WordPress experts only.', 'mailchimp' ); ?>
 										</label>
 									</div>
 								</td>
@@ -265,7 +265,7 @@
 											<input type="checkbox" name="mc_custom_style" id="mc_custom_style" class="mailchimp-sf-checkbox"<?php checked( get_option( 'mc_custom_style' ), 'on' ); ?> />
 										</div>
 										<label for="mc_custom_style">
-											<?php esc_html_e( 'Edit the default Mailchimp CSS style.' ); ?>
+											<?php esc_html_e( 'Edit the default Mailchimp CSS style.', 'mailchimp' ); ?>
 										</label>
 									</div>
 								</td>
diff --git a/includes/class-mailchimp-form-submission.php b/includes/class-mailchimp-form-submission.php
index b0a8de0..68d8278 100644
--- a/includes/class-mailchimp-form-submission.php
+++ b/includes/class-mailchimp-form-submission.php
@@ -99,6 +99,7 @@ public function handle_form_submission() {
 		$merge_fields          = get_option( 'mc_merge_vars', array() );
 		$interest_groups       = get_option( 'mc_interest_groups', array() );
 
+		// phpcs:disable WordPress.Security.NonceVerification.Missing -- Nonce check is already done in the request_handler() function.
 		// Check if request from latest block.
 		if ( isset( $_POST['mailchimp_sf_list_id'] ) ) {
 			$list_id               = isset( $_POST['mailchimp_sf_list_id'] ) ? sanitize_text_field( wp_unslash( $_POST['mailchimp_sf_list_id'] ) ) : '';
@@ -148,6 +149,7 @@ public function handle_form_submission() {
 		} else {
 			$email_type = 'html';
 		}
+		// phpcs:enable WordPress.Security.NonceVerification.Missing
 
 		$response = $this->subscribe_to_list(
 			$list_id,
@@ -251,10 +253,11 @@ public function prepare_merge_fields_body( $merge_fields, $skip_merge_validation
 			$opt = 'mc_mv_' . $tag;
 
 			// Skip if the field is not required and not submitted.
-			if ( ( true !== (bool) $merge_field['required'] && ! isset( $_POST[ $opt ] ) ) || $skip_merge_validation ) {
+			if ( ( true !== (bool) $merge_field['required'] && ! isset( $_POST[ $opt ] ) ) || $skip_merge_validation ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce check is already done in the request_handler() function.
 				continue;
 			}
 
+			// phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce check is already done in the request_handler() function.
 			$opt_val = isset( $_POST[ $opt ] ) ? map_deep( stripslashes_deep( $_POST[ $opt ] ), 'sanitize_text_field' ) : '';
 
 			switch ( $merge_field['type'] ) {
@@ -339,6 +342,7 @@ public function prepare_groups_body( $interest_groups ) {
 
 		foreach ( $interest_groups as $interest_group ) {
 			$ig_id = $interest_group['id'];
+			// phpcs:disable WordPress.Security.NonceVerification.Missing -- Nonce check is already done in the request_handler() function.
 			if ( isset( $_POST['group'][ $ig_id ] ) && 'hidden' !== $interest_group['type'] ) {
 				switch ( $interest_group['type'] ) {
 					case 'dropdown':
@@ -367,6 +371,7 @@ public function prepare_groups_body( $interest_groups ) {
 						break;
 				}
 			}
+			// phpcs:enable WordPress.Security.NonceVerification.Missing
 		}
 		return $groups;
 	}
@@ -544,6 +549,7 @@ public function remove_empty_merge_fields( $merge ) {
 	 * @return bool|WP_Error True if valid, WP_Error if invalid.
 	 */
 	protected function validate_form_submission() {
+		// phpcs:disable WordPress.Security.NonceVerification.Missing -- Nonce check is already done in the request_handler() function.
 		$spam_message = esc_html__( "We couldn't process your submission as it was flagged as potential spam. Please try again.", 'mailchimp' );
 		// Make sure the honeypot field is set, but not filled (if it is, then it's a spam).
 		if ( ! isset( $_POST['mailchimp_sf_alt_email'] ) || ! empty( $_POST['mailchimp_sf_alt_email'] ) ) {
@@ -579,5 +585,6 @@ protected function validate_form_submission() {
 		 * @param array $post_data The $_POST data.
 		 */
 		return apply_filters( 'mailchimp_sf_form_submission_validation', true, $_POST );
+		// phpcs:enable WordPress.Security.NonceVerification.Missing
 	}
 }
diff --git a/mailchimp.php b/mailchimp.php
index 83b5ac5..caf1cd2 100644
--- a/mailchimp.php
+++ b/mailchimp.php
@@ -4,7 +4,7 @@
  * Plugin URI:        https://mailchimp.com/help/connect-or-disconnect-list-subscribe-for-wordpress/
  * Description:       Add a Mailchimp signup form block, widget or shortcode to your WordPress site.
  * Text Domain:       mailchimp
- * Version:           2.0.0
+ * Version:           2.0.1
  * Requires at least: 6.4
  * Requires PHP:      7.0
  * PHP tested up to:  8.3
@@ -67,7 +67,7 @@ function () {
 use function Mailchimp\WordPress\Includes\Admin\{admin_notice_error, admin_notice_success};
 
 // Version constant for easy CSS refreshes
-define( 'MCSF_VER', '2.0.0' );
+define( 'MCSF_VER', '2.0.1' );
 
 // What's our permission (capability) threshold
 define( 'MCSF_CAP_THRESHOLD', 'manage_options' );
@@ -421,7 +421,7 @@ function mailchimp_sf_set_form_defaults( $list_name = '' ) {
  * @return void
  **/
 function mailchimp_sf_save_general_form_settings() {
-
+	// phpcs:disable WordPress.Security.NonceVerification.Missing -- Nonce check is already done in the mailchimp_sf_request_handler() function.
 	/*Enable double optin toggle*/
 	if ( isset( $_POST['mc_double_optin'] ) ) {
 		update_option( 'mc_double_optin', true );
@@ -447,11 +447,11 @@ function mailchimp_sf_save_general_form_settings() {
 	/* Update existing */
 	if ( isset( $_POST['mc_update_existing'] ) ) {
 		update_option( 'mc_update_existing', true );
-		$msg = esc_html__( 'Update existing subscribers turned On!' );
+		$msg = esc_html__( 'Update existing subscribers turned On!', 'mailchimp' );
 		admin_notice_success( $msg );
 	} elseif ( get_option( 'mc_update_existing' ) !== false ) {
 		update_option( 'mc_update_existing', false );
-		$msg = esc_html__( 'Update existing subscribers turned Off!' );
+		$msg = esc_html__( 'Update existing subscribers turned Off!', 'mailchimp' );
 		admin_notice_success( $msg );
 	}
 
@@ -521,6 +521,7 @@ function mailchimp_sf_save_general_form_settings() {
 
 	$msg = esc_html__( 'Successfully Updated your List Subscribe Form Settings!', 'mailchimp' );
 	admin_notice_success( $msg );
+	// phpcs:enable WordPress.Security.NonceVerification.Missing
 }
 
 /**
@@ -531,15 +532,20 @@ function mailchimp_sf_change_list_if_necessary() {
 		return;
 	}
 
+	if (
+		! current_user_can( MCSF_CAP_THRESHOLD ) ||
+		! isset( $_POST['update_mc_list_id_nonce'] ) ||
+		! wp_verify_nonce( sanitize_key( $_POST['update_mc_list_id_nonce'] ), 'update_mc_list_id_action' )
+	) {
+		wp_die( 'Security check failed.' );
+	}
+
 	if ( empty( $_POST['mc_list_id'] ) ) {
 		$msg = esc_html__( 'Please choose a valid list', 'mailchimp' );
 		admin_notice_error( $msg );
 		return;
 	}
 
-	// Simple permission check before going through all this
-	if ( ! current_user_can( MCSF_CAP_THRESHOLD ) ) { return; }
-
 	$api = mailchimp_sf_get_api();
 	if ( ! $api ) { return; }
 
@@ -605,7 +611,7 @@ function mailchimp_sf_change_list_if_necessary() {
 				__( '<b>Success!</b> Loaded and saved the info for %d Merge Variables', 'mailchimp' ) . $igs_text,
 				count( $mv )
 			) . ' ' .
-			esc_html__( 'from your list' ) . ' "' . $list_name . '"<br/><br/>' .
+			esc_html__( 'from your list', 'mailchimp' ) . ' "' . $list_name . '"<br/><br/>' .
 			esc_html__( 'Now you should either Turn On the Mailchimp Widget or change your options below, then turn it on.', 'mailchimp' );
 
 			admin_notice_success( $msg );
diff --git a/package-lock.json b/package-lock.json
index a428cd7..ea8f89e 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "@mailchimp/wordpress",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "lockfileVersion": 3,
   "requires": true,
   "packages": {
     "": {
       "name": "@mailchimp/wordpress",
-      "version": "2.0.0",
+      "version": "2.0.1",
       "license": "GPL-2.0-or-later",
       "dependencies": {
         "@wordpress/block-editor": "^13.2.0",
diff --git a/package.json b/package.json
index 2940b88..c4dcd23 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@mailchimp/wordpress",
-  "version": "2.0.0",
+  "version": "2.0.1",
   "description": "Add a Mailchimp signup form widget to your WordPress site.",
   "homepage": "https://github.com/mailchimp/wordpress",
   "bugs": {
diff --git a/readme.txt b/readme.txt
index 0c9d24d..9170390 100644
--- a/readme.txt
+++ b/readme.txt
@@ -1,8 +1,8 @@
 === Mailchimp List Subscribe Form ===
 Contributors: Mailchimp
 Tags:         mailchimp, email, newsletter, signup, marketing
-Tested up to: 6.8
-Stable tag:   2.0.0
+Tested up to: 6.9
+Stable tag:   2.0.1
 License:      GPL-2.0-or-later
 License URI:  https://spdx.org/licenses/GPL-2.0-or-later.html
 
@@ -76,6 +76,11 @@ If you are upgrading to version 1.2.1 and you used the widget in your sidebar pr
 
 == Changelog ==
 
+= 2.0.1 - 2026-01-08 =
+* **Fixed:** Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+* **Fixed:** Plugin check plugin errors to improve overall codebase (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+* **Changed:** Bump WordPress "tested up to" version 6.9 (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+
 = 2.0.0 - 2025-08-11 =
 * **Added:** Form templates to the Mailchimp List Subscribe Form block, allowing users to quickly insert and publish specific forms (props [@iamdharmesh](https://github.com/iamdharmesh), [Romain Deville](https://www.linkedin.com/in/devilleromain/), [@vikrampm1](https://github.com/vikrampm1), [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya) via [#171](https://github.com/mailchimp/wordpress/pull/171)).
 * **Changed:** Improved navigation and UX enhancements to the plugin settings page (props [@iamdharmesh](https://github.com/iamdharmesh), [Romain Deville](https://www.linkedin.com/in/devilleromain/), [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya) via [#169](https://github.com/mailchimp/wordpress/pull/169)).
@@ -89,10 +94,16 @@ If you are upgrading to version 1.2.1 and you used the widget in your sidebar pr
 * **Security:** Bump `serialize-javascript` from 6.0.0 to 6.0.2 and `mocha` from 10.4.0 to 11.7.1 (props [@dependabot](https://github.com/apps/dependabot), [@iamdharmesh](https://github.com/iamdharmesh) via [#179](https://github.com/mailchimp/wordpress/pull/179)).
 * **Security:** Bump `http-proxy-middleware` from 2.0.6 to 2.0.9 (props [@dependabot](https://github.com/apps/dependabot), [@iamdharmesh](https://github.com/iamdharmesh) via [#180](https://github.com/mailchimp/wordpress/pull/180)).
 
+= 1.9.1 - 2026-01-08 =
+* **Fixed:** Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+
 = 1.9.0 - 2025-06-04 =
 * **Added:** New user synchronization feature that allows syncing WordPress users to Mailchimp (props [@iamdharmesh](https://github.com/iamdharmesh), [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya) via [#156](https://github.com/mailchimp/wordpress/pull/156)).
 * **Changed:** Improved the enqueueing of JavaScript scripts and styles (props [@iamdharmesh](https://github.com/iamdharmesh), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya) via [#161](https://github.com/mailchimp/wordpress/pull/161)).
 
+= 1.8.1 - 2026-01-08 =
+* **Fixed:** Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+
 = 1.8.0 - 2025-05-08 =
 **Note that this release bumps the WordPress minimum version from 6.3 to 6.4.**
 
@@ -102,6 +113,9 @@ If you are upgrading to version 1.2.1 and you used the widget in your sidebar pr
 * **Changed:** Bump WordPress "tested up to" version 6.8 (props [@qasumitbagthariya](https://github.com/qasumitbagthariya), [@dkotter](https://github.com/dkotter) via [#148](https://github.com/mailchimp/wordpress/pull/148)).
 * **Changed:** Bump WordPress minimum supported version from 6.3 to 6.4 (props [@qasumitbagthariya](https://github.com/qasumitbagthariya), [@dkotter](https://github.com/dkotter) via [#148](https://github.com/mailchimp/wordpress/pull/148)).
 
+= 1.7.1 - 2026-01-08 =
+* **Fixed:** Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+
 = 1.7.0 - 2025-04-08 =
 * **Changed:** Enhance the Mailchimp List Subscribe Form block to allow for selecting an audience list, reorder fields, toggle field and group visibility, and various other improvements (props [@iamdharmesh](https://github.com/iamdharmesh), [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya) via [#126](https://github.com/mailchimp/wordpress/pull/126)).
 * **Changed:** Plugin settings page success and error messages will now use WP admin notices (props [@MaxwellGarceau](https://github.com/MaxwellGarceau), [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya), [@iamdharmesh](https://github.com/iamdharmesh) via [#85](https://github.com/mailchimp/wordpress/pull/85)).
@@ -116,6 +130,9 @@ If you are upgrading to version 1.2.1 and you used the widget in your sidebar pr
 * **Removed:** The "Remove Mailchimp CSS" settings from the Mailchimp settings page (props [@iamdharmesh](https://github.com/iamdharmesh), [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya) via [#126](https://github.com/mailchimp/wordpress/pull/126)).
 * **Security:** Bump `express` from 4.21.0 to 4.21.2 (props [@dependabot](https://github.com/apps/dependabot), [@iamdharmesh](https://github.com/iamdharmesh), [@dkotter](https://github.com/dkotter) via [#125](https://github.com/mailchimp/wordpress/pull/125)).
 
+= 1.6.4 - 2026-01-08 =
+* **Fixed:** Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+
 = 1.6.3 - 2025-01-30 =
 * **Added:** Transform the `mailchimp_sf_shortcode` shortcode to the Mailchimp List Subscribe Form block (props [@MaxwellGarceau](https://github.com/qasumitbagthariya), [@jeffpaul](https://github.com/vikrampm1), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya) via [#84](https://github.com/mailchimp/wordpress/pull/84)).
 * **Removed:** Deprecated Sopresto code (props [@MaxwellGarceau](https://github.com/qasumitbagthariya), [@jeffpaul](https://github.com/vikrampm1), [@dkotter](https://github.com/dkotter) via [#98](https://github.com/mailchimp/wordpress/pull/98)).
diff --git a/tests/cypress/support/commands/mailchimpLogin.js b/tests/cypress/support/commands/mailchimpLogin.js
index fe217a7..62b1bd3 100644
--- a/tests/cypress/support/commands/mailchimpLogin.js
+++ b/tests/cypress/support/commands/mailchimpLogin.js
@@ -50,6 +50,8 @@ Cypress.Commands.add('mailchimpLogin', (user = null, pass = null) => {
 	});
 
 	cy.popup().find('input#username').clear().type(username, { force: true });
+	cy.popup().find('button[type="submit"]').click({ force: true });
+	cy.wait(5000);
 	cy.popup().find('input#password').clear().type(password, { force: true });
 	cy.popup().find('button[type="submit"]').click({ force: true });
 	cy.wait(10000); // Not a best practice, but did not find a better way to handle this.