Release/2.0.1

CHANGELOG.md

@@ -4,6 +4,17 @@ All notable changes to this project will be documented in this file, per [the Ke
 
 ## [Unreleased] - TBD
 
+## [2.0.1] - 2026-01-08
+
+### Fixed
+
+- Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+- Plugin check plugin errors to improve overall codebase (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+
+### Changed
+
+- Bump WordPress "tested up to" version 6.9 (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+
 ## [2.0.0] - 2025-08-11
 
 ### Added
@@ -33,6 +44,12 @@ All notable changes to this project will be documented in this file, per [the Ke
 
 - Update 10up-toolkit from 6.2.0 to 6.5.0 (props [@iamdharmesh](https://github.com/iamdharmesh), [@dkotter](https://github.com/dkotter) via [#174](https://github.com/mailchimp/wordpress/pull/174)).
 
+## [1.9.1] - 2026-01-08
+
+### Fixed
+
+- Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+
 ## [1.9.0] - 2025-06-04
 
 ### Added
@@ -43,6 +60,13 @@ All notable changes to this project will be documented in this file, per [the Ke
 
 - Improved the enqueueing of JavaScript scripts and styles (props [@iamdharmesh](https://github.com/iamdharmesh), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya) via [#161](https://github.com/mailchimp/wordpress/pull/161)).
 
+## [1.8.1] - 2026-01-08
+
+### Fixed
+
+- Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+
+
 ## [1.8.0] - 2025-05-08
 
 **Note that this release bumps the WordPress minimum version from 6.3 to 6.4.**
@@ -58,6 +82,12 @@ All notable changes to this project will be documented in this file, per [the Ke
 - Bump WordPress "tested up to" version 6.8 (props [@qasumitbagthariya](https://github.com/qasumitbagthariya), [@dkotter](https://github.com/dkotter) via [#148](https://github.com/mailchimp/wordpress/pull/148)).
 - Bump WordPress minimum supported version from 6.3 to 6.4 (props [@qasumitbagthariya](https://github.com/qasumitbagthariya), [@dkotter](https://github.com/dkotter) via [#148](https://github.com/mailchimp/wordpress/pull/148)).
 
+## [1.7.1] - 2026-01-08
+
+### Fixed
+
+- Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+
 ## [1.7.0] - 2025-04-08
 
 ### Changed
@@ -91,6 +121,12 @@ All notable changes to this project will be documented in this file, per [the Ke
 - Update all third-party actions our workflows rely on to use versions based on specific commit hashes (props [@dkotter](https://github.com/dkotter), [@jeffpaul](https://github.com/jeffpaul), [@iamdharmesh](https://github.com/iamdharmesh) via [#128](https://github.com/mailchimp/wordpress/pull/128)).
 - Prevent overwriting the release content with the body text provided in the GitHub Action workflow file (props [@iamdharmesh](https://github.com/iamdharmesh), [@dkotter](https://github.com/dkotter) via [#129](https://github.com/mailchimp/wordpress/pull/129)).
 
+## [1.6.4] - 2026-01-08
+
+### Fixed
+
+- Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+
 ## [1.6.3] - 2025-01-30
 
 ### Added
@@ -209,6 +245,13 @@ All notable changes to this project will be documented in this file, per [the Ke
 - Added ESLint GitHub Action Workflow (props [@dkotter](https://github.com/dkotter), [@jeffpaul](https://github.com/jeffpaul) via [#20](https://github.com/mailchimp/wordpress/pull/20)).
 - Added Standard GitHub Action Workflows (props [@dkotter](https://github.com/dkotter), [@jeffpaul](https://github.com/jeffpaul) via [#21](https://github.com/mailchimp/wordpress/pull/21)).
 
+## 1.5.9 - 2026-01-08
+
+### Fixed
+
+- Provide CSRF hardening for Mailchimp List changes.
+
+
 ## 1.5.8 - 2022-09-26
 
 ### Changed
@@ -352,10 +395,15 @@ All notable changes to this project will be documented in this file, per [the Ke
 - Security and various other improvements
 
 [Unreleased]: https://github.com/mailchimp/wordpress/compare/main...develop
+[2.0.1]: https://github.com/mailchimp/wordpress/compare/2.0.0...2.0.1
 [2.0.0]: https://github.com/mailchimp/wordpress/compare/1.9.0...2.0.0
+[1.9.1]: https://github.com/mailchimp/wordpress/compare/1.9.0...1.9.1
 [1.9.0]: https://github.com/mailchimp/wordpress/compare/1.8.0...1.9.0
+[1.8.1]: https://github.com/mailchimp/wordpress/compare/1.8.0...1.8.1
 [1.8.0]: https://github.com/mailchimp/wordpress/compare/1.7.0...1.8.0
+[1.7.1]: https://github.com/mailchimp/wordpress/compare/1.7.0...1.7.1
 [1.7.0]: https://github.com/mailchimp/wordpress/compare/1.6.3...1.7.0
+[1.6.4]: https://github.com/mailchimp/wordpress/compare/1.6.3...1.6.4
 [1.6.3]: https://github.com/mailchimp/wordpress/compare/1.6.2...1.6.3
 [1.6.2]: https://github.com/mailchimp/wordpress/compare/1.6.1...1.6.2
 [1.6.1]: https://github.com/mailchimp/wordpress/compare/1.6.0...1.6.1

CREDITS.md

@@ -12,7 +12,7 @@ The following individuals are responsible for curating the list of issues, respo
 
 Thank you to all the people who have already contributed to this repository via bug reports, code, design, ideas, project management, translation, testing, etc.
 
-[Mailchimp (@mailchimp)](https://github.com/mailchimp), [Crowd Favorite (@crowdfavorite)](https://github.com/crowdfavorite), [Matthew Richmond (@bigdawggi)](https://github.com/bigdawggi), [Devin Reams (@devinreams)](https://github.com/devinreams), [Alex King (@alexkingorg)](https://github.com/alexkingorg), [Jesse (@jessedp)](https://github.com/jessedp), [Andrew Ellis](awellis@me.com), [Evan Anderson (@ejdanderson)](https://github.com/ejdanderson), [Webb Henderson (@emerywebster)](https://github.com/emerywebster), [Steven Mathias (@ssmathias)](https://github.com/ssmathias), [Jonathan D. Johnson (@jondavidjohn)](https://github.com/jondavidjohn), [Ross Tweedie (@digitales)](https://github.com/digitales), [(@mcwill)](https://github.com/mcwill), [Andrew Austin (@andrewjaustin)](https://github.com/andrewjaustin), [Marc Queralt i Bassa (@MarcQueralt)](https://github.com/MarcQueralt), [Chris Mospaw (@mospaw)](https://github.com/mospaw), [Jonas Stensved (@jstensved)](https://github.com/jstensved), [netboy](netboy@netboy.pl), [Lenin](lenin@tasawr.com), [Bauke Zwaan (@baukezwaan)](https://github.com/baukezwaan), [Jascha Ehrenreich (@jaeh)](https://github.com/jaeh), [Chris Wilcoxson (@slushman)](https://github.com/slushman), [Luke Watts (@thisislawatts)](https://github.com/thisislawatts), [Glenn Ansley (@glennansley)](https://github.com/glennansley), [SiteGround](http://www.siteground.com/wordpress-hosting.htm), [Peter Kahoun](http://kahi.cz/), [Jan Lund](), [Michael Jaekel](), [Ιωάννης Δημοφέρλιας (John Dimoferlias)](), [Tomás Nader](), [Claudia Mansilla](http://cricava.com/), [Helen Urbanik](http://www.motomaania.ee/), [Maxime Toulliou](http://www.maximetoulliou.com/), [שגיב בית](http://www.sagive.co.il), [Okostobi](), [Stefan Des](http://www.stefandes.com), [백선기 (SK Baek)](), [Alexander Roterud aka Defrag](http://www.tigerpews.com), [Filip Stas](http://suddenelfilio.net/), [Maria Manoela Porto](), [Tiago Faria](http://xroot.org), [Alexandru Armin Roșu](), [Илья](http://fatcow.com), [Sebastian Johnsson](http://www.agiley.se/), [Hakan E.](http://kazancexpert.com/), [Josh Grosser (@jgrosser-intuit)](https://github.com/jgrosser-intuit), [10up (@10up)](https://github.com/10up), [Nate Conley (@nateconley)](https://github.com/nateconley), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Eddie Shrake (@eddieshrake)](https://github.com/eddieshrake), [Sumit Bagthariya (@qasumitbagthariya)](https://github.com/qasumitbagthariya), [Vikram Moparthy (@vikrampm1)](https://github.com/vikrampm1), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [GitHub Dependabot (@dependabot)](https://github.com/apps/dependabot), [Jer Clarke (@jerclarke)](https://github.com/jerclarke), [Max Garceau (@MaxwellGarceau)](https://github.com/MaxwellGarceau), [Nathan Tetzlaff](), [Romain Deville](https://www.linkedin.com/in/devilleromain/).
+[Mailchimp (@mailchimp)](https://github.com/mailchimp), [Crowd Favorite (@crowdfavorite)](https://github.com/crowdfavorite), [Matthew Richmond (@bigdawggi)](https://github.com/bigdawggi), [Devin Reams (@devinreams)](https://github.com/devinreams), [Alex King (@alexkingorg)](https://github.com/alexkingorg), [Jesse (@jessedp)](https://github.com/jessedp), [Andrew Ellis](awellis@me.com), [Evan Anderson (@ejdanderson)](https://github.com/ejdanderson), [Webb Henderson (@emerywebster)](https://github.com/emerywebster), [Steven Mathias (@ssmathias)](https://github.com/ssmathias), [Jonathan D. Johnson (@jondavidjohn)](https://github.com/jondavidjohn), [Ross Tweedie (@digitales)](https://github.com/digitales), [(@mcwill)](https://github.com/mcwill), [Andrew Austin (@andrewjaustin)](https://github.com/andrewjaustin), [Marc Queralt i Bassa (@MarcQueralt)](https://github.com/MarcQueralt), [Chris Mospaw (@mospaw)](https://github.com/mospaw), [Jonas Stensved (@jstensved)](https://github.com/jstensved), [netboy](netboy@netboy.pl), [Lenin](lenin@tasawr.com), [Bauke Zwaan (@baukezwaan)](https://github.com/baukezwaan), [Jascha Ehrenreich (@jaeh)](https://github.com/jaeh), [Chris Wilcoxson (@slushman)](https://github.com/slushman), [Luke Watts (@thisislawatts)](https://github.com/thisislawatts), [Glenn Ansley (@glennansley)](https://github.com/glennansley), [SiteGround](http://www.siteground.com/wordpress-hosting.htm), [Peter Kahoun](http://kahi.cz/), [Jan Lund](), [Michael Jaekel](), [Ιωάννης Δημοφέρλιας (John Dimoferlias)](), [Tomás Nader](), [Claudia Mansilla](http://cricava.com/), [Helen Urbanik](http://www.motomaania.ee/), [Maxime Toulliou](http://www.maximetoulliou.com/), [שגיב בית](http://www.sagive.co.il), [Okostobi](), [Stefan Des](http://www.stefandes.com), [백선기 (SK Baek)](), [Alexander Roterud aka Defrag](http://www.tigerpews.com), [Filip Stas](http://suddenelfilio.net/), [Maria Manoela Porto](), [Tiago Faria](http://xroot.org), [Alexandru Armin Roșu](), [Илья](http://fatcow.com), [Sebastian Johnsson](http://www.agiley.se/), [Hakan E.](http://kazancexpert.com/), [Josh Grosser (@jgrosser-intuit)](https://github.com/jgrosser-intuit), [10up (@10up)](https://github.com/10up), [Nate Conley (@nateconley)](https://github.com/nateconley), [Darin Kotter (@dkotter)](https://github.com/dkotter), [Jeffrey Paul (@jeffpaul)](https://github.com/jeffpaul), [Eddie Shrake (@eddieshrake)](https://github.com/eddieshrake), [Sumit Bagthariya (@qasumitbagthariya)](https://github.com/qasumitbagthariya), [Vikram Moparthy (@vikrampm1)](https://github.com/vikrampm1), [Dharmesh Patel (@iamdharmesh)](https://github.com/iamdharmesh), [GitHub Dependabot (@dependabot)](https://github.com/apps/dependabot), [Jer Clarke (@jerclarke)](https://github.com/jerclarke), [Max Garceau (@MaxwellGarceau)](https://github.com/MaxwellGarceau), [Nathan Tetzlaff](), [Romain Deville](https://www.linkedin.com/in/devilleromain/), [@joemcgill](https://github.com/joemcgill).
 
 ## Libraries
 

includes/admin/class-mailchimp-user-sync.php

@@ -325,7 +325,8 @@ public function subscriber_status_field() {
 					_n(
 						'You will need %1$sa Mailchimp plan%2$s that includes %3$d contact.',
 						'You will need %1$sa Mailchimp plan%2$s that includes %3$d contacts.',
-						absint( $users_count )
+						absint( $users_count ),
+						'mailchimp'
 					),
 					'<a href="https://mailchimp.com/help/about-mailchimp-pricing-plans/" target="_blank" rel="noopener noreferrer">',
 					'</a>',

includes/admin/templates/settings.php

@@ -94,6 +94,7 @@ function ( $ele ) {
 									</div>
 									<div class="mailchimp-sf-settings-list-select-button">
 										<input type="hidden" name="mcsf_action" value="update_mc_list_id" />
+										<?php wp_nonce_field( 'update_mc_list_id_action', 'update_mc_list_id_nonce' ); ?>
 										<input type="submit" name="submit" value="<?php esc_attr_e( 'Fetch list settings', 'mailchimp' ); ?>" class="mailchimp-sf-button btn-secondary" />
 									</div>
 								</div>

includes/admin/templates/setup-page.php

@@ -224,7 +224,7 @@
 							<tr>
 								<th class="mailchimp-sf-option-header">
 									<label for="mc_nuke_all_styles">
-										<?php esc_html_e( 'Remove CSS' ); ?>
+										<?php esc_html_e( 'Remove CSS', 'mailchimp' ); ?>
 									</label>
 								</th>
 								<td>
@@ -234,7 +234,7 @@
 											<input type="checkbox" name="mc_nuke_all_styles" id="mc_nuke_all_styles" class="mailchimp-sf-checkbox" <?php checked( get_option( 'mc_nuke_all_styles' ), true ); ?> onclick="showMe('mc-custom-styling')"/>
 										</div>
 										<label for="mc_nuke_all_styles">
-											<?php esc_html_e( 'This will disable all Mailchimp CSS, so it\'s recommended for WordPress experts only.' ); ?>
+											<?php esc_html_e( 'This will disable all Mailchimp CSS, so it\'s recommended for WordPress experts only.', 'mailchimp' ); ?>
 										</label>
 									</div>
 								</td>
@@ -265,7 +265,7 @@
 											<input type="checkbox" name="mc_custom_style" id="mc_custom_style" class="mailchimp-sf-checkbox"<?php checked( get_option( 'mc_custom_style' ), 'on' ); ?> />
 										</div>
 										<label for="mc_custom_style">
-											<?php esc_html_e( 'Edit the default Mailchimp CSS style.' ); ?>
+											<?php esc_html_e( 'Edit the default Mailchimp CSS style.', 'mailchimp' ); ?>
 										</label>
 									</div>
 								</td>

includes/class-mailchimp-form-submission.php

@@ -99,6 +99,7 @@ public function handle_form_submission() {
 		$merge_fields          = get_option( 'mc_merge_vars', array() );
 		$interest_groups       = get_option( 'mc_interest_groups', array() );
 
+		// phpcs:disable WordPress.Security.NonceVerification.Missing -- Nonce check is already done in the request_handler() function.
 		// Check if request from latest block.
 		if ( isset( $_POST['mailchimp_sf_list_id'] ) ) {
 			$list_id               = isset( $_POST['mailchimp_sf_list_id'] ) ? sanitize_text_field( wp_unslash( $_POST['mailchimp_sf_list_id'] ) ) : '';
@@ -148,6 +149,7 @@ public function handle_form_submission() {
 		} else {
 			$email_type = 'html';
 		}
+		// phpcs:enable WordPress.Security.NonceVerification.Missing
 
 		$response = $this->subscribe_to_list(
 			$list_id,
@@ -251,10 +253,11 @@ public function prepare_merge_fields_body( $merge_fields, $skip_merge_validation
 			$opt = 'mc_mv_' . $tag;
 
 			// Skip if the field is not required and not submitted.
-			if ( ( true !== (bool) $merge_field['required'] && ! isset( $_POST[ $opt ] ) ) || $skip_merge_validation ) {
+			if ( ( true !== (bool) $merge_field['required'] && ! isset( $_POST[ $opt ] ) ) || $skip_merge_validation ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce check is already done in the request_handler() function.
 				continue;
 			}
 
+			// phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce check is already done in the request_handler() function.
 			$opt_val = isset( $_POST[ $opt ] ) ? map_deep( stripslashes_deep( $_POST[ $opt ] ), 'sanitize_text_field' ) : '';
 
 			switch ( $merge_field['type'] ) {
@@ -339,6 +342,7 @@ public function prepare_groups_body( $interest_groups ) {
 
 		foreach ( $interest_groups as $interest_group ) {
 			$ig_id = $interest_group['id'];
+			// phpcs:disable WordPress.Security.NonceVerification.Missing -- Nonce check is already done in the request_handler() function.
 			if ( isset( $_POST['group'][ $ig_id ] ) && 'hidden' !== $interest_group['type'] ) {
 				switch ( $interest_group['type'] ) {
 					case 'dropdown':
@@ -367,6 +371,7 @@ public function prepare_groups_body( $interest_groups ) {
 						break;
 				}
 			}
+			// phpcs:enable WordPress.Security.NonceVerification.Missing
 		}
 		return $groups;
 	}
@@ -544,6 +549,7 @@ public function remove_empty_merge_fields( $merge ) {
 	 * @return bool|WP_Error True if valid, WP_Error if invalid.
 	 */
 	protected function validate_form_submission() {
+		// phpcs:disable WordPress.Security.NonceVerification.Missing -- Nonce check is already done in the request_handler() function.
 		$spam_message = esc_html__( "We couldn't process your submission as it was flagged as potential spam. Please try again.", 'mailchimp' );
 		// Make sure the honeypot field is set, but not filled (if it is, then it's a spam).
 		if ( ! isset( $_POST['mailchimp_sf_alt_email'] ) || ! empty( $_POST['mailchimp_sf_alt_email'] ) ) {
@@ -579,5 +585,6 @@ protected function validate_form_submission() {
 		 * @param array $post_data The $_POST data.
 		 */
 		return apply_filters( 'mailchimp_sf_form_submission_validation', true, $_POST );
+		// phpcs:enable WordPress.Security.NonceVerification.Missing
 	}
 }