Changeset 3435538

Timestamp:

01/08/2026 11:25:49 PM (6 weeks ago)

Author:

Dharm1025

Message:

Update to version 2.0.1 from GitHub

Location:

mailchimp

Files:

• tags/2.0.1 (copied) (copied from mailchimp/trunk)
• tags/2.0.1/includes/admin/class-mailchimp-user-sync.php (modified) (1 diff)
• tags/2.0.1/includes/admin/templates/settings.php (modified) (1 diff)
• tags/2.0.1/includes/admin/templates/setup-page.php (modified) (3 diffs)
• tags/2.0.1/includes/class-mailchimp-form-submission.php (modified) (7 diffs)
• tags/2.0.1/mailchimp.php (modified) (8 diffs)
• tags/2.0.1/readme.txt (modified) (5 diffs)
• tags/2.0.1/vendor/composer/autoload_static.php (modified) (2 diffs)
• tags/2.0.1/vendor/composer/installed.php (modified) (2 diffs)
• trunk/includes/admin/class-mailchimp-user-sync.php (modified) (1 diff)
• trunk/includes/admin/templates/settings.php (modified) (1 diff)
• trunk/includes/admin/templates/setup-page.php (modified) (3 diffs)
• trunk/includes/class-mailchimp-form-submission.php (modified) (7 diffs)
• trunk/mailchimp.php (modified) (8 diffs)
• trunk/readme.txt (modified) (5 diffs)
• trunk/vendor/composer/autoload_static.php (modified) (2 diffs)
• trunk/vendor/composer/installed.php (modified) (2 diffs)

mailchimp/tags/2.0.1/includes/admin/class-mailchimp-user-sync.php

@@ -326 +326 @@
                         'You will need %1$sa Mailchimp plan%2$s that includes %3$d contact.',
                         'You will need %1$sa Mailchimp plan%2$s that includes %3$d contacts.',
-                        absint( $users_count )
+                        absint( $users_count ),
+                        'mailchimp'
                     ),
                     '<a href="https://mailchimp.com/help/about-mailchimp-pricing-plans/" target="_blank" rel="noopener noreferrer">',

mailchimp/tags/2.0.1/includes/admin/templates/settings.php

@@ -95 +95 @@
                                     <div class="mailchimp-sf-settings-list-select-button">
                                         <input type="hidden" name="mcsf_action" value="update_mc_list_id" />
+                                        <?php wp_nonce_field( 'update_mc_list_id_action', 'update_mc_list_id_nonce' ); ?>
                                         <input type="submit" name="submit" value="<?php esc_attr_e( 'Fetch list settings', 'mailchimp' ); ?>" class="mailchimp-sf-button btn-secondary" />
                                     </div>

mailchimp/tags/2.0.1/includes/admin/templates/setup-page.php

@@ -225 +225 @@
                                 <th class="mailchimp-sf-option-header">
                                     <label for="mc_nuke_all_styles">
-                                        <?php esc_html_e( 'Remove CSS' ); ?>
+                                        <?php esc_html_e( 'Remove CSS', 'mailchimp' ); ?>
                                     </label>
                                 </th>
@@ -235 +235 @@
                                         </div>
                                         <label for="mc_nuke_all_styles">
-                                            <?php esc_html_e( 'This will disable all Mailchimp CSS, so it\'s recommended for WordPress experts only.' ); ?>
+                                            <?php esc_html_e( 'This will disable all Mailchimp CSS, so it\'s recommended for WordPress experts only.', 'mailchimp' ); ?>
                                         </label>
                                     </div>
@@ -266 +266 @@
                                         </div>
                                         <label for="mc_custom_style">
-                                            <?php esc_html_e( 'Edit the default Mailchimp CSS style.' ); ?>
+                                            <?php esc_html_e( 'Edit the default Mailchimp CSS style.', 'mailchimp' ); ?>
                                         </label>
                                     </div>

mailchimp/tags/2.0.1/includes/class-mailchimp-form-submission.php

@@ -100 +100 @@
         $interest_groups       = get_option( 'mc_interest_groups', array() );
 
+        // phpcs:disable WordPress.Security.NonceVerification.Missing -- Nonce check is already done in the request_handler() function.
         // Check if request from latest block.
         if ( isset( $_POST['mailchimp_sf_list_id'] ) ) {
@@ -149 +150 @@
             $email_type = 'html';
         }
+        // phpcs:enable WordPress.Security.NonceVerification.Missing
 
         $response = $this->subscribe_to_list(
@@ -252 +254 @@
 
             // Skip if the field is not required and not submitted.
-            if ( ( true !== (bool) $merge_field['required'] && ! isset( $_POST[ $opt ] ) ) || $skip_merge_validation ) {
+            if ( ( true !== (bool) $merge_field['required'] && ! isset( $_POST[ $opt ] ) ) || $skip_merge_validation ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce check is already done in the request_handler() function.
                 continue;
             }
 
+            // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce check is already done in the request_handler() function.
             $opt_val = isset( $_POST[ $opt ] ) ? map_deep( stripslashes_deep( $_POST[ $opt ] ), 'sanitize_text_field' ) : '';
 
@@ -340 +343 @@
         foreach ( $interest_groups as $interest_group ) {
             $ig_id = $interest_group['id'];
+            // phpcs:disable WordPress.Security.NonceVerification.Missing -- Nonce check is already done in the request_handler() function.
             if ( isset( $_POST['group'][ $ig_id ] ) && 'hidden' !== $interest_group['type'] ) {
                 switch ( $interest_group['type'] ) {
@@ -368 +372 @@
                 }
             }
+            // phpcs:enable WordPress.Security.NonceVerification.Missing
         }
         return $groups;
@@ -545 +550 @@
      */
     protected function validate_form_submission() {
+        // phpcs:disable WordPress.Security.NonceVerification.Missing -- Nonce check is already done in the request_handler() function.
         $spam_message = esc_html__( "We couldn't process your submission as it was flagged as potential spam. Please try again.", 'mailchimp' );
         // Make sure the honeypot field is set, but not filled (if it is, then it's a spam).
@@ -580 +586 @@
          */
         return apply_filters( 'mailchimp_sf_form_submission_validation', true, $_POST );
+        // phpcs:enable WordPress.Security.NonceVerification.Missing
     }
 }

mailchimp/tags/2.0.1/mailchimp.php

@@ -5 +5 @@
  * Description:       Add a Mailchimp signup form block, widget or shortcode to your WordPress site.
  * Text Domain:       mailchimp
- * Version:           2.0.0
+ * Version:           2.0.1
  * Requires at least: 6.4
  * Requires PHP:      7.0
@@ -68 +68 @@
 
 // Version constant for easy CSS refreshes
-define( 'MCSF_VER', '2.0.0' );
+define( 'MCSF_VER', '2.0.1' );
 
 // What's our permission (capability) threshold
@@ -422 +422 @@
  **/
 function mailchimp_sf_save_general_form_settings() {
-
+    // phpcs:disable WordPress.Security.NonceVerification.Missing -- Nonce check is already done in the mailchimp_sf_request_handler() function.
     /*Enable double optin toggle*/
     if ( isset( $_POST['mc_double_optin'] ) ) {
@@ -448 +448 @@
     if ( isset( $_POST['mc_update_existing'] ) ) {
         update_option( 'mc_update_existing', true );
-        $msg = esc_html__( 'Update existing subscribers turned On!' );
+        $msg = esc_html__( 'Update existing subscribers turned On!', 'mailchimp' );
         admin_notice_success( $msg );
     } elseif ( get_option( 'mc_update_existing' ) !== false ) {
         update_option( 'mc_update_existing', false );
-        $msg = esc_html__( 'Update existing subscribers turned Off!' );
+        $msg = esc_html__( 'Update existing subscribers turned Off!', 'mailchimp' );
         admin_notice_success( $msg );
     }
@@ -522 +522 @@
     $msg = esc_html__( 'Successfully Updated your List Subscribe Form Settings!', 'mailchimp' );
     admin_notice_success( $msg );
+    // phpcs:enable WordPress.Security.NonceVerification.Missing
 }
 
@@ -532 +533 @@
     }
 
+    if (
+        ! current_user_can( MCSF_CAP_THRESHOLD ) ||
+        ! isset( $_POST['update_mc_list_id_nonce'] ) ||
+        ! wp_verify_nonce( sanitize_key( $_POST['update_mc_list_id_nonce'] ), 'update_mc_list_id_action' )
+    ) {
+        wp_die( 'Security check failed.' );
+    }
+
     if ( empty( $_POST['mc_list_id'] ) ) {
         $msg = esc_html__( 'Please choose a valid list', 'mailchimp' );
@@ -537 +546 @@
         return;
     }
-
-    // Simple permission check before going through all this
-    if ( ! current_user_can( MCSF_CAP_THRESHOLD ) ) { return; }
 
     $api = mailchimp_sf_get_api();
@@ -606 +612 @@
                 count( $mv )
             ) . ' ' .
-            esc_html__( 'from your list' ) . ' "' . $list_name . '"<br/><br/>' .
+            esc_html__( 'from your list', 'mailchimp' ) . ' "' . $list_name . '"<br/><br/>' .
             esc_html__( 'Now you should either Turn On the Mailchimp Widget or change your options below, then turn it on.', 'mailchimp' );
 

mailchimp/tags/2.0.1/readme.txt

@@ -2 +2 @@
 Contributors: Mailchimp
 Tags:         mailchimp, email, newsletter, signup, marketing
-Tested up to: 6.8
-Stable tag:   2.0.0
+Tested up to: 6.9
+Stable tag:   2.0.1
 License:      GPL-2.0-or-later
 License URI:  https://spdx.org/licenses/GPL-2.0-or-later.html
@@ -76 +76 @@
 
 == Changelog ==
+
+= 2.0.1 - 2026-01-08 =
+* **Fixed:** Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+* **Fixed:** Plugin check plugin errors to improve overall codebase (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+* **Changed:** Bump WordPress "tested up to" version 6.9 (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
 
 = 2.0.0 - 2025-08-11 =
@@ -90 +95 @@
 * **Security:** Bump `http-proxy-middleware` from 2.0.6 to 2.0.9 (props [@dependabot](https://github.com/apps/dependabot), [@iamdharmesh](https://github.com/iamdharmesh) via [#180](https://github.com/mailchimp/wordpress/pull/180)).
 
+= 1.9.1 - 2026-01-08 =
+* **Fixed:** Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+
 = 1.9.0 - 2025-06-04 =
 * **Added:** New user synchronization feature that allows syncing WordPress users to Mailchimp (props [@iamdharmesh](https://github.com/iamdharmesh), [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya) via [#156](https://github.com/mailchimp/wordpress/pull/156)).
 * **Changed:** Improved the enqueueing of JavaScript scripts and styles (props [@iamdharmesh](https://github.com/iamdharmesh), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya) via [#161](https://github.com/mailchimp/wordpress/pull/161)).
+
+= 1.8.1 - 2026-01-08 =
+* **Fixed:** Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
 
 = 1.8.0 - 2025-05-08 =
@@ -102 +113 @@
 * **Changed:** Bump WordPress "tested up to" version 6.8 (props [@qasumitbagthariya](https://github.com/qasumitbagthariya), [@dkotter](https://github.com/dkotter) via [#148](https://github.com/mailchimp/wordpress/pull/148)).
 * **Changed:** Bump WordPress minimum supported version from 6.3 to 6.4 (props [@qasumitbagthariya](https://github.com/qasumitbagthariya), [@dkotter](https://github.com/dkotter) via [#148](https://github.com/mailchimp/wordpress/pull/148)).
+
+= 1.7.1 - 2026-01-08 =
+* **Fixed:** Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
 
 = 1.7.0 - 2025-04-08 =
@@ -116 +130 @@
 * **Removed:** The "Remove Mailchimp CSS" settings from the Mailchimp settings page (props [@iamdharmesh](https://github.com/iamdharmesh), [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya) via [#126](https://github.com/mailchimp/wordpress/pull/126)).
 * **Security:** Bump `express` from 4.21.0 to 4.21.2 (props [@dependabot](https://github.com/apps/dependabot), [@iamdharmesh](https://github.com/iamdharmesh), [@dkotter](https://github.com/dkotter) via [#125](https://github.com/mailchimp/wordpress/pull/125)).
+
+= 1.6.4 - 2026-01-08 =
+* **Fixed:** Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
 
 = 1.6.3 - 2025-01-30 =

mailchimp/tags/2.0.1/vendor/composer/autoload_static.php

@@ -12 +12 @@
 
     public static $prefixLengthsPsr4 = array (
-        'M' => 
+        'M' =>
         array (
             'Mailchimp\\WordPress\\' => 20,
@@ -19 +19 @@
 
     public static $prefixDirsPsr4 = array (
-        'Mailchimp\\WordPress\\' => 
+        'Mailchimp\\WordPress\\' =>
         array (
             0 => __DIR__ . '/../..' . '/src',

mailchimp/tags/2.0.1/vendor/composer/installed.php

@@ -2 +2 @@
     'root' => array(
         'name' => 'mailchimp/wordpress',
-        'pretty_version' => '2.0.0',
-        'version' => '2.0.0.0',
-        'reference' => 'f75618e4495ce73463a28d46ef80406839598c45',
+        'pretty_version' => '2.0.1',
+        'version' => '2.0.1.0',
+        'reference' => 'cd230223528aa8c17041aa2e7e492caeda37e26d',
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
@@ -12 +12 @@
     'versions' => array(
         'mailchimp/wordpress' => array(
-            'pretty_version' => '2.0.0',
-            'version' => '2.0.0.0',
-            'reference' => 'f75618e4495ce73463a28d46ef80406839598c45',
+            'pretty_version' => '2.0.1',
+            'version' => '2.0.1.0',
+            'reference' => 'cd230223528aa8c17041aa2e7e492caeda37e26d',
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',

mailchimp/trunk/includes/admin/class-mailchimp-user-sync.php

@@ -326 +326 @@
                         'You will need %1$sa Mailchimp plan%2$s that includes %3$d contact.',
                         'You will need %1$sa Mailchimp plan%2$s that includes %3$d contacts.',
-                        absint( $users_count )
+                        absint( $users_count ),
+                        'mailchimp'
                     ),
                     '<a href="https://mailchimp.com/help/about-mailchimp-pricing-plans/" target="_blank" rel="noopener noreferrer">',

mailchimp/trunk/includes/admin/templates/settings.php

@@ -95 +95 @@
                                     <div class="mailchimp-sf-settings-list-select-button">
                                         <input type="hidden" name="mcsf_action" value="update_mc_list_id" />
+                                        <?php wp_nonce_field( 'update_mc_list_id_action', 'update_mc_list_id_nonce' ); ?>
                                         <input type="submit" name="submit" value="<?php esc_attr_e( 'Fetch list settings', 'mailchimp' ); ?>" class="mailchimp-sf-button btn-secondary" />
                                     </div>

mailchimp/trunk/includes/admin/templates/setup-page.php

@@ -225 +225 @@
                                 <th class="mailchimp-sf-option-header">
                                     <label for="mc_nuke_all_styles">
-                                        <?php esc_html_e( 'Remove CSS' ); ?>
+                                        <?php esc_html_e( 'Remove CSS', 'mailchimp' ); ?>
                                     </label>
                                 </th>
@@ -235 +235 @@
                                         </div>
                                         <label for="mc_nuke_all_styles">
-                                            <?php esc_html_e( 'This will disable all Mailchimp CSS, so it\'s recommended for WordPress experts only.' ); ?>
+                                            <?php esc_html_e( 'This will disable all Mailchimp CSS, so it\'s recommended for WordPress experts only.', 'mailchimp' ); ?>
                                         </label>
                                     </div>
@@ -266 +266 @@
                                         </div>
                                         <label for="mc_custom_style">
-                                            <?php esc_html_e( 'Edit the default Mailchimp CSS style.' ); ?>
+                                            <?php esc_html_e( 'Edit the default Mailchimp CSS style.', 'mailchimp' ); ?>
                                         </label>
                                     </div>

mailchimp/trunk/includes/class-mailchimp-form-submission.php

@@ -100 +100 @@
         $interest_groups       = get_option( 'mc_interest_groups', array() );
 
+        // phpcs:disable WordPress.Security.NonceVerification.Missing -- Nonce check is already done in the request_handler() function.
         // Check if request from latest block.
         if ( isset( $_POST['mailchimp_sf_list_id'] ) ) {
@@ -149 +150 @@
             $email_type = 'html';
         }
+        // phpcs:enable WordPress.Security.NonceVerification.Missing
 
         $response = $this->subscribe_to_list(
@@ -252 +254 @@
 
             // Skip if the field is not required and not submitted.
-            if ( ( true !== (bool) $merge_field['required'] && ! isset( $_POST[ $opt ] ) ) || $skip_merge_validation ) {
+            if ( ( true !== (bool) $merge_field['required'] && ! isset( $_POST[ $opt ] ) ) || $skip_merge_validation ) { // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce check is already done in the request_handler() function.
                 continue;
             }
 
+            // phpcs:ignore WordPress.Security.NonceVerification.Missing -- Nonce check is already done in the request_handler() function.
             $opt_val = isset( $_POST[ $opt ] ) ? map_deep( stripslashes_deep( $_POST[ $opt ] ), 'sanitize_text_field' ) : '';
 
@@ -340 +343 @@
         foreach ( $interest_groups as $interest_group ) {
             $ig_id = $interest_group['id'];
+            // phpcs:disable WordPress.Security.NonceVerification.Missing -- Nonce check is already done in the request_handler() function.
             if ( isset( $_POST['group'][ $ig_id ] ) && 'hidden' !== $interest_group['type'] ) {
                 switch ( $interest_group['type'] ) {
@@ -368 +372 @@
                 }
             }
+            // phpcs:enable WordPress.Security.NonceVerification.Missing
         }
         return $groups;
@@ -545 +550 @@
      */
     protected function validate_form_submission() {
+        // phpcs:disable WordPress.Security.NonceVerification.Missing -- Nonce check is already done in the request_handler() function.
         $spam_message = esc_html__( "We couldn't process your submission as it was flagged as potential spam. Please try again.", 'mailchimp' );
         // Make sure the honeypot field is set, but not filled (if it is, then it's a spam).
@@ -580 +586 @@
          */
         return apply_filters( 'mailchimp_sf_form_submission_validation', true, $_POST );
+        // phpcs:enable WordPress.Security.NonceVerification.Missing
     }
 }

mailchimp/trunk/mailchimp.php

@@ -5 +5 @@
  * Description:       Add a Mailchimp signup form block, widget or shortcode to your WordPress site.
  * Text Domain:       mailchimp
- * Version:           2.0.0
+ * Version:           2.0.1
  * Requires at least: 6.4
  * Requires PHP:      7.0
@@ -68 +68 @@
 
 // Version constant for easy CSS refreshes
-define( 'MCSF_VER', '2.0.0' );
+define( 'MCSF_VER', '2.0.1' );
 
 // What's our permission (capability) threshold
@@ -422 +422 @@
  **/
 function mailchimp_sf_save_general_form_settings() {
-
+    // phpcs:disable WordPress.Security.NonceVerification.Missing -- Nonce check is already done in the mailchimp_sf_request_handler() function.
     /*Enable double optin toggle*/
     if ( isset( $_POST['mc_double_optin'] ) ) {
@@ -448 +448 @@
     if ( isset( $_POST['mc_update_existing'] ) ) {
         update_option( 'mc_update_existing', true );
-        $msg = esc_html__( 'Update existing subscribers turned On!' );
+        $msg = esc_html__( 'Update existing subscribers turned On!', 'mailchimp' );
         admin_notice_success( $msg );
     } elseif ( get_option( 'mc_update_existing' ) !== false ) {
         update_option( 'mc_update_existing', false );
-        $msg = esc_html__( 'Update existing subscribers turned Off!' );
+        $msg = esc_html__( 'Update existing subscribers turned Off!', 'mailchimp' );
         admin_notice_success( $msg );
     }
@@ -522 +522 @@
     $msg = esc_html__( 'Successfully Updated your List Subscribe Form Settings!', 'mailchimp' );
     admin_notice_success( $msg );
+    // phpcs:enable WordPress.Security.NonceVerification.Missing
 }
 
@@ -532 +533 @@
     }
 
+    if (
+        ! current_user_can( MCSF_CAP_THRESHOLD ) ||
+        ! isset( $_POST['update_mc_list_id_nonce'] ) ||
+        ! wp_verify_nonce( sanitize_key( $_POST['update_mc_list_id_nonce'] ), 'update_mc_list_id_action' )
+    ) {
+        wp_die( 'Security check failed.' );
+    }
+
     if ( empty( $_POST['mc_list_id'] ) ) {
         $msg = esc_html__( 'Please choose a valid list', 'mailchimp' );
@@ -537 +546 @@
         return;
     }
-
-    // Simple permission check before going through all this
-    if ( ! current_user_can( MCSF_CAP_THRESHOLD ) ) { return; }
 
     $api = mailchimp_sf_get_api();
@@ -606 +612 @@
                 count( $mv )
             ) . ' ' .
-            esc_html__( 'from your list' ) . ' "' . $list_name . '"<br/><br/>' .
+            esc_html__( 'from your list', 'mailchimp' ) . ' "' . $list_name . '"<br/><br/>' .
             esc_html__( 'Now you should either Turn On the Mailchimp Widget or change your options below, then turn it on.', 'mailchimp' );
 

mailchimp/trunk/readme.txt

@@ -2 +2 @@
 Contributors: Mailchimp
 Tags:         mailchimp, email, newsletter, signup, marketing
-Tested up to: 6.8
-Stable tag:   2.0.0
+Tested up to: 6.9
+Stable tag:   2.0.1
 License:      GPL-2.0-or-later
 License URI:  https://spdx.org/licenses/GPL-2.0-or-later.html
@@ -76 +76 @@
 
 == Changelog ==
+
+= 2.0.1 - 2026-01-08 =
+* **Fixed:** Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+* **Fixed:** Plugin check plugin errors to improve overall codebase (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+* **Changed:** Bump WordPress "tested up to" version 6.9 (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
 
 = 2.0.0 - 2025-08-11 =
@@ -90 +95 @@
 * **Security:** Bump `http-proxy-middleware` from 2.0.6 to 2.0.9 (props [@dependabot](https://github.com/apps/dependabot), [@iamdharmesh](https://github.com/iamdharmesh) via [#180](https://github.com/mailchimp/wordpress/pull/180)).
 
+= 1.9.1 - 2026-01-08 =
+* **Fixed:** Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
+
 = 1.9.0 - 2025-06-04 =
 * **Added:** New user synchronization feature that allows syncing WordPress users to Mailchimp (props [@iamdharmesh](https://github.com/iamdharmesh), [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya) via [#156](https://github.com/mailchimp/wordpress/pull/156)).
 * **Changed:** Improved the enqueueing of JavaScript scripts and styles (props [@iamdharmesh](https://github.com/iamdharmesh), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya) via [#161](https://github.com/mailchimp/wordpress/pull/161)).
+
+= 1.8.1 - 2026-01-08 =
+* **Fixed:** Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
 
 = 1.8.0 - 2025-05-08 =
@@ -102 +113 @@
 * **Changed:** Bump WordPress "tested up to" version 6.8 (props [@qasumitbagthariya](https://github.com/qasumitbagthariya), [@dkotter](https://github.com/dkotter) via [#148](https://github.com/mailchimp/wordpress/pull/148)).
 * **Changed:** Bump WordPress minimum supported version from 6.3 to 6.4 (props [@qasumitbagthariya](https://github.com/qasumitbagthariya), [@dkotter](https://github.com/dkotter) via [#148](https://github.com/mailchimp/wordpress/pull/148)).
+
+= 1.7.1 - 2026-01-08 =
+* **Fixed:** Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
 
 = 1.7.0 - 2025-04-08 =
@@ -116 +130 @@
 * **Removed:** The "Remove Mailchimp CSS" settings from the Mailchimp settings page (props [@iamdharmesh](https://github.com/iamdharmesh), [@jeffpaul](https://github.com/jeffpaul), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya) via [#126](https://github.com/mailchimp/wordpress/pull/126)).
 * **Security:** Bump `express` from 4.21.0 to 4.21.2 (props [@dependabot](https://github.com/apps/dependabot), [@iamdharmesh](https://github.com/iamdharmesh), [@dkotter](https://github.com/dkotter) via [#125](https://github.com/mailchimp/wordpress/pull/125)).
+
+= 1.6.4 - 2026-01-08 =
+* **Fixed:** Provide CSRF hardening for Mailchimp List changes (props [@iamdharmesh](https://github.com/iamdharmesh), [@joemcgill](https://github.com/joemcgill), [@dkotter](https://github.com/dkotter), [@qasumitbagthariya](https://github.com/qasumitbagthariya)).
 
 = 1.6.3 - 2025-01-30 =

mailchimp/trunk/vendor/composer/autoload_static.php

@@ -12 +12 @@
 
     public static $prefixLengthsPsr4 = array (
-        'M' => 
+        'M' =>
         array (
             'Mailchimp\\WordPress\\' => 20,
@@ -19 +19 @@
 
     public static $prefixDirsPsr4 = array (
-        'Mailchimp\\WordPress\\' => 
+        'Mailchimp\\WordPress\\' =>
         array (
             0 => __DIR__ . '/../..' . '/src',

mailchimp/trunk/vendor/composer/installed.php

@@ -2 +2 @@
     'root' => array(
         'name' => 'mailchimp/wordpress',
-        'pretty_version' => '2.0.0',
-        'version' => '2.0.0.0',
-        'reference' => 'f75618e4495ce73463a28d46ef80406839598c45',
+        'pretty_version' => '2.0.1',
+        'version' => '2.0.1.0',
+        'reference' => 'cd230223528aa8c17041aa2e7e492caeda37e26d',
         'type' => 'wordpress-plugin',
         'install_path' => __DIR__ . '/../../',
@@ -12 +12 @@
     'versions' => array(
         'mailchimp/wordpress' => array(
-            'pretty_version' => '2.0.0',
-            'version' => '2.0.0.0',
-            'reference' => 'f75618e4495ce73463a28d46ef80406839598c45',
+            'pretty_version' => '2.0.1',
+            'version' => '2.0.1.0',
+            'reference' => 'cd230223528aa8c17041aa2e7e492caeda37e26d',
             'type' => 'wordpress-plugin',
             'install_path' => __DIR__ . '/../../',