From d4e3db8b47472b2d19f6ac108141be5874f86ded Mon Sep 17 00:00:00 2001
From: Dharmesh Patel <dspatel44@gmail.com>
Date: Wed, 6 May 2026 12:05:10 +0530
Subject: [PATCH 1/4] Added `mailchimp_sf_list_limit` filter to modify the list
 limit.

---
 includes/admin/templates/settings.php         |  3 +--
 ...s-mailchimp-list-subscribe-form-blocks.php |  3 +--
 includes/class-mailchimp-admin.php            |  2 +-
 mailchimp.php                                 | 27 ++++++++++++++++---
 4 files changed, 27 insertions(+), 8 deletions(-)

diff --git a/includes/admin/templates/settings.php b/includes/admin/templates/settings.php
index b657841..bd4593d 100644
--- a/includes/admin/templates/settings.php
+++ b/includes/admin/templates/settings.php
@@ -51,8 +51,7 @@
 						</p>
 						<form method="post" action="<?php echo esc_url( add_query_arg( array( 'page' => 'mailchimp_sf_options' ), admin_url( 'admin.php' ) ) ); ?>">
 							<?php
-							// we *could* support paging, but few users have that many lists (and shouldn't)
-							$lists = $api->get( 'lists', 100, array( 'fields' => 'lists.id,lists.name' ) );
+							$lists = mailchimp_sf_get_lists();
 							if ( is_wp_error( $lists ) ) {
 								$msg = sprintf(
 									/* translators: %s: error message */
diff --git a/includes/blocks/class-mailchimp-list-subscribe-form-blocks.php b/includes/blocks/class-mailchimp-list-subscribe-form-blocks.php
index 945863f..423c055 100644
--- a/includes/blocks/class-mailchimp-list-subscribe-form-blocks.php
+++ b/includes/blocks/class-mailchimp-list-subscribe-form-blocks.php
@@ -109,8 +109,7 @@ public function get_lists() {
 			return array();
 		}
 
-		// we *could* support paging, but 100 is more than enough for now.
-		$lists = $api->get( 'lists', 100, array( 'fields' => 'lists.id,lists.name,lists.email_type_option' ) );
+		$lists = mailchimp_sf_get_lists();
 		if ( is_wp_error( $lists ) ) {
 			return array();
 		}
diff --git a/includes/class-mailchimp-admin.php b/includes/class-mailchimp-admin.php
index 3805336..43e2fd1 100644
--- a/includes/class-mailchimp-admin.php
+++ b/includes/class-mailchimp-admin.php
@@ -372,7 +372,7 @@ public function verify_and_save_oauth_token( $access_token, $data_center ) {
 			update_option( 'mc_user', $this->sanitize_data( $user ) );
 
 			// Clear Mailchimp List ID if saved list is not available.
-			$lists = $api->get( 'lists', 100, array( 'fields' => 'lists.id,lists.name,lists.email_type_option' ) );
+			$lists = mailchimp_sf_get_lists();
 			if ( ! is_wp_error( $lists ) ) {
 				$lists         = $lists['lists'] ?? array();
 				$saved_list_id = get_option( 'mc_list_id' );
diff --git a/mailchimp.php b/mailchimp.php
index caf1cd2..074ec9e 100644
--- a/mailchimp.php
+++ b/mailchimp.php
@@ -549,9 +549,7 @@ function mailchimp_sf_change_list_if_necessary() {
 	$api = mailchimp_sf_get_api();
 	if ( ! $api ) { return; }
 
-	// we *could* support paging, but few users have that many lists (and shouldn't)
-	$lists = $api->get( 'lists', 100, array( 'fields' => 'lists.id,lists.name,lists.email_type_option' ) );
-
+	$lists = mailchimp_sf_get_lists();
 	if ( ! isset( $lists['lists'] ) || is_wp_error( $lists['lists'] ) ) {
 		return;
 	}
@@ -998,3 +996,26 @@ function mailchimp_sf_get_access_token() {
 function mailchimp_sf_should_display_form() {
 	return mailchimp_sf_get_api() && ! get_option( 'mailchimp_sf_auth_error' ) && get_option( 'mc_list_id' );
 }
+
+/**
+ * Get Mailchimp Lists.
+ *
+ * @since x.x.x
+ * @return array List of Mailchimp lists.
+ */
+function mailchimp_sf_get_lists() {
+	/**
+	 * Filter the limit of lists to fetch.
+	 *
+	 * @param int $limit The limit of lists to fetch. Defaults to 100.
+	 * @return int
+	 */
+	$limit = apply_filters( 'mailchimp_sf_list_limit', 100 ); // Default to 100.
+
+	$api = mailchimp_sf_get_api();
+	if ( ! $api ) {
+		return array();
+	}
+
+	return $api->get( 'lists', $limit, array( 'fields' => 'lists.id,lists.name,lists.email_type_option' ) );
+}

From 87c1b00cea161cff011885082d6257b7011555fc Mon Sep 17 00:00:00 2001
From: Dharmesh Patel <dspatel44@gmail.com>
Date: Wed, 6 May 2026 12:35:56 +0530
Subject: [PATCH 2/4] Apply suggestions from code review

Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
---
 mailchimp.php | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/mailchimp.php b/mailchimp.php
index 074ec9e..1cf274f 100644
--- a/mailchimp.php
+++ b/mailchimp.php
@@ -546,11 +546,8 @@ function mailchimp_sf_change_list_if_necessary() {
 		return;
 	}
 
-	$api = mailchimp_sf_get_api();
-	if ( ! $api ) { return; }
-
 	$lists = mailchimp_sf_get_lists();
-	if ( ! isset( $lists['lists'] ) || is_wp_error( $lists['lists'] ) ) {
+	if ( is_wp_error( $lists ) || ! isset( $lists['lists'] ) ) {
 		return;
 	}
 

From 18983899c08ed901507f02469496f6808ea6daf6 Mon Sep 17 00:00:00 2001
From: Dharmesh Patel <dspatel44@gmail.com>
Date: Wed, 6 May 2026 12:36:38 +0530
Subject: [PATCH 3/4] Update doc block and remove redundant API check.

---
 .../blocks/class-mailchimp-list-subscribe-form-blocks.php   | 6 ------
 mailchimp.php                                               | 2 +-
 2 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/includes/blocks/class-mailchimp-list-subscribe-form-blocks.php b/includes/blocks/class-mailchimp-list-subscribe-form-blocks.php
index 423c055..8488c7d 100644
--- a/includes/blocks/class-mailchimp-list-subscribe-form-blocks.php
+++ b/includes/blocks/class-mailchimp-list-subscribe-form-blocks.php
@@ -103,12 +103,6 @@ public function get_lists() {
 			return $lists;
 		}
 
-		// If we don't have any lists, get them from the API.
-		$api = mailchimp_sf_get_api();
-		if ( ! $api ) {
-			return array();
-		}
-
 		$lists = mailchimp_sf_get_lists();
 		if ( is_wp_error( $lists ) ) {
 			return array();
diff --git a/mailchimp.php b/mailchimp.php
index 074ec9e..8a0f3d2 100644
--- a/mailchimp.php
+++ b/mailchimp.php
@@ -1001,7 +1001,7 @@ function mailchimp_sf_should_display_form() {
  * Get Mailchimp Lists.
  *
  * @since x.x.x
- * @return array List of Mailchimp lists.
+ * @return array|WP_Error|false List of Mailchimp lists, or an error/false from the API request.
  */
 function mailchimp_sf_get_lists() {
 	/**

From 4ebf5798124e7e6845536aa03ab94ec94dc81f36 Mon Sep 17 00:00:00 2001
From: Dharmesh Patel <dspatel44@gmail.com>
Date: Wed, 6 May 2026 12:42:15 +0530
Subject: [PATCH 4/4] Enhance list limit handling by sanitizing input and
 enforcing minimum and maximum values.

---
 mailchimp.php | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/mailchimp.php b/mailchimp.php
index 9c05b46..19f97be 100644
--- a/mailchimp.php
+++ b/mailchimp.php
@@ -1004,10 +1004,11 @@ function mailchimp_sf_get_lists() {
 	/**
 	 * Filter the limit of lists to fetch.
 	 *
-	 * @param int $limit The limit of lists to fetch. Defaults to 100.
-	 * @return int
+	 * This value is sanitized to a positive integer and clamped before the API request.
+	 * Defaults to 100. 1000 is the maximum allowed by the API. 1 is the minimum allowed.
 	 */
 	$limit = apply_filters( 'mailchimp_sf_list_limit', 100 ); // Default to 100.
+	$limit = max( 1, min( 1000, absint( $limit ) ) );
 
 	$api = mailchimp_sf_get_api();
 	if ( ! $api ) {