Skip to main content

CF7 Mailchimp Extension CVE-2026-15000

| EUVDEUVD-2026-42523 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-07-09 Wordfence GHSA-6h77-cm5j-f2x9
7.2
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Unauthenticated injection (PR:N) over the network (AV:N), but execution requires an administrator to perform a Contact Lookup, so UI:R; XSS runs in the separate admin context (S:C) with limited C/I impact and no availability effect.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 09, 2026 - 08:32 vuln.today
CVE Published
Jul 09, 2026 - 06:52 nvd
HIGH 7.2

DescriptionCVE.org

The Connect Contact Form 7 and Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Mailchimp Merge Field Values in all versions up to, and including, 0.9.78.06 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload is only triggered when a privileged user (Administrator) performs a Contact Lookup for the email address submitted via the CF7 form, meaning execution is deferred until an administrator interacts with the affected entry.

AnalysisAI

Stored cross-site scripting in the Connect Contact Form 7 and Mailchimp WordPress plugin (all versions through 0.9.78.06) lets unauthenticated visitors plant JavaScript through Mailchimp merge-field values submitted via a Contact Form 7 form. The payload lies dormant until an Administrator runs a Contact Lookup on the submitted email address, at which point the script executes in the privileged admin session. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Locate public CF7 form with Mailchimp mapping
Delivery
Submit form with script in merge-field value
Exploit
Payload stored in plugin records
Execution
Admin runs Contact Lookup for that email
Persist
Script executes in admin session
Impact
Hijack admin session / act as admin

Vulnerability AssessmentAI

Exploitation Injection requires only that the site runs the Connect Contact Form 7 and Mailchimp plugin (≤ 0.9.78.06) with a public Contact Form 7 form whose fields map to Mailchimp merge variables - no authentication is needed to submit the payload (PR:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N, 7.2) reflects unauthenticated network injection with a scope change into the admin context, but it contains an internal tension: the description explicitly states execution is deferred until a privileged Administrator performs a Contact Lookup, which is a real user-interaction dependency that UI:N does not capture - a more honest vector uses UI:R, lowering effective urgency. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker submits a public Contact Form 7 form on the target site, placing a JavaScript payload (e.g. an image tag with an onerror handler) into a field mapped to a Mailchimp merge variable. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - the trac changeset at https://plugins.trac.wordpress.org/changeset?reponame=&old=3599649%40contact-form-7-mailchimp-extension&new=3599649%40contact-form-7-mailchimp-extension shows corrective changes, but no fixed release number above 0.9.78.06 is stated in the provided data, so update to the latest available plugin release once published and confirm the version against the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/be2579e3-8e40-4603-9ec1-38f43dc1aa29?source=cve). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all WordPress deployments running Connect Contact Form 7 and Mailchimp plugin versions ≤0.9.78.06 and assess business criticality. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15000 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy