Skip to main content

Connect Contact Form 7 And Mailchimp

1 CVEs product

Monthly

CVE-2026-15000 HIGH This Week

Stored cross-site scripting in the Connect Contact Form 7 and Mailchimp WordPress plugin (all versions through 0.9.78.06) lets unauthenticated visitors plant JavaScript through Mailchimp merge-field values submitted via a Contact Form 7 form. The payload lies dormant until an Administrator runs a Contact Lookup on the submitted email address, at which point the script executes in the privileged admin session. Reported by Wordfence with a CVSS of 7.2; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress XSS Connect Contact Form 7 And Mailchimp
NVD
CVSS 3.1
7.2
EPSS
0.3%
EPSS 0% CVSS 7.2
HIGH This Week

Stored cross-site scripting in the Connect Contact Form 7 and Mailchimp WordPress plugin (all versions through 0.9.78.06) lets unauthenticated visitors plant JavaScript through Mailchimp merge-field values submitted via a Contact Form 7 form. The payload lies dormant until an Administrator runs a Contact Lookup on the submitted email address, at which point the script executes in the privileged admin session. Reported by Wordfence with a CVSS of 7.2; there is no public exploit identified at time of analysis and it is not listed in CISA KEV.

WordPress XSS Connect Contact Form 7 And Mailchimp
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy