CVE-2025-68989
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2Description
Insertion of Sensitive Information Into Sent Data vulnerability in Renzo Johnson contact-form-7-mailchimp-extension contact-form-7-mailchimp-extension allows Retrieve Embedded Sensitive Data.This issue affects contact-form-7-mailchimp-extension: from n/a through <= 0.9.68.
Analysis
Sensitive data exposure in Contact Form 7 Mailchimp Extension plugin for WordPress (versions ≤0.9.68) allows unauthenticated remote attackers to retrieve embedded sensitive information through network-accessible endpoints. The vulnerability enables unauthorized access to confidential data with low attack complexity and no user interaction required. EPSS score of 0.05% (14th percentile) indicates low observed exploitation probability, and no public exploit identified at time of analysis.
Technical Context
This vulnerability stems from CWE-201 (Insertion of Sensitive Information Into Sent Data), occurring in the contact-form-7-mailchimp-extension WordPress plugin developed by Renzo Johnson. The flaw arises when the plugin improperly includes sensitive information in data transmissions, likely during API communications between Contact Form 7 submissions and Mailchimp's marketing platform. Information disclosure vulnerabilities of this class typically occur when applications inadvertently expose authentication tokens, API keys, user data, or system configuration details in HTTP responses, debug output, or integration payloads. The plugin facilitates integration between the popular Contact Form 7 contact form builder and Mailchimp email marketing service, handling potentially sensitive subscriber data during form submission processing. The network-accessible attack vector (AV:N) indicates the sensitive data can be retrieved remotely without requiring local or adjacent network access.
Affected Products
The vulnerability affects the Contact Form 7 Extension for Mailchimp WordPress plugin developed by Renzo Johnson, specifically all versions from the earliest release through version 0.9.68 inclusive. The Patchstack reference indicates version 0.9.49 was analyzed, suggesting the vulnerability exists across a wide version range spanning multiple releases. This plugin serves as an integration layer between Contact Form 7 (a widely-deployed WordPress form builder) and Mailchimp's email marketing platform, typically installed on WordPress sites requiring newsletter signup or marketing automation capabilities. Complete vendor advisory and technical details are available through Patchstack's vulnerability database at https://patchstack.com/database/Wordpress/Plugin/contact-form-7-mailchimp-extension/vulnerability/wordpress-contact-form-7-extension-for-mailchimp-plugin-0-9-49-sensitive-data-exposure-vulnerability.
Remediation
Website administrators should immediately upgrade the contact-form-7-mailchimp-extension plugin to a version newer than 0.9.68 if available through the WordPress plugin repository. Check the official WordPress plugin directory or Renzo Johnson's release channels for patched versions addressing CVE-2025-68989. If no updated version is available, consider temporarily disabling the plugin and implementing alternative Mailchimp integration methods until a fix is released. Review web server access logs for unusual requests to plugin endpoints that may indicate reconnaissance or exploitation attempts. Audit Mailchimp API key configurations and rotate credentials if sensitive data exposure is suspected. For long-term risk reduction, evaluate whether the plugin remains actively maintained by the developer; unmaintained plugins should be replaced with supported alternatives. Consult the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/contact-form-7-mailchimp-extension/vulnerability/wordpress-contact-form-7-extension-for-mailchimp-plugin-0-9-49-sensitive-data-exposure-vulnerability for additional technical guidance and vendor notification status.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today