Connect Contact Form 7 And Mailchimp
Monthly
Stored cross-site scripting in the Connect Contact Form 7 and Mailchimp WordPress plugin (all versions through 0.9.78.06) lets unauthenticated visitors plant JavaScript through Mailchimp merge-field values submitted via a Contact Form 7 form. The payload lies dormant until an Administrator runs a Contact Lookup on the submitted email address, at which point the script executes in the privileged admin session. Reported by Wordfence with a CVSS of 7.2; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.
Stored cross-site scripting in the Connect Contact Form 7 and Mailchimp WordPress plugin (all versions through 0.9.78.06) lets unauthenticated visitors plant JavaScript through Mailchimp merge-field values submitted via a Contact Form 7 form. The payload lies dormant until an Administrator runs a Contact Lookup on the submitted email address, at which point the script executes in the privileged admin session. Reported by Wordfence with a CVSS of 7.2; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.