Description
Missing Authorization vulnerability in kamleshyadav CF7 7 Mailchimp Add-on CF7-mailchimp-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CF7 7 Mailchimp Add-on: from n/a through < 2.4.
Published: 2025-07-04
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A missing authorization check in the kamleshyadav CF7 7 Mailchimp Add-on plugin allows an attacker to exploit incorrectly configured access control security levels. This flaw can enable an unauthorized user to perform actions that are normally restricted to privileged users, such as submitting or retrieving configuration data for the Mailchimp integration.

Affected Systems

The vulnerability affects the WordPress CF7 7 Mailchimp Add-on plugin (vendor kamleshyadav) in all releases before version 2.4. Sites running any of these older versions are potentially exposed.

Risk and Exploitability

With a CVSS score of 5.3, the flaw is considered moderate severity. The EPSS score of less than 1% suggests a low probability of exploitation at present, and the issue is not listed in the CISA KEV catalog. The likely attack vector is remote, where a malicious actor can send crafted HTTP requests to the plugin’s endpoints that bypass normal authentication checks. If exploited, the attacker could gain unauthorized access to configuration settings or other privileged operations within the plugin.

Generated by OpenCVE AI on April 30, 2026 at 17:00 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the CF7 7 Mailchimp Add-on plugin to version 2.4 or later to remove the missing authorization flaw.
  • Ensure that WordPress role‑based access controls are enforced so that only users with the appropriate capabilities can invoke the plugin’s Mailchimp integration features.
  • If an immediate upgrade is not feasible, restrict HTTP access to the plugin’s administrative endpoints (e.g., by applying web‑server rules or a security plugin) so that only trusted IP addresses or authenticated administrators can reach them.

Generated by OpenCVE AI on April 30, 2026 at 17:00 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-19943 Missing Authorization vulnerability in kamleshyadav CF7 7 Mailchimp Add-on allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CF7 7 Mailchimp Add-on: from n/a through 2.2.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in kamleshyadav CF7 7 Mailchimp Add-on allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CF7 7 Mailchimp Add-on: from n/a through 2.2. Missing Authorization vulnerability in kamleshyadav CF7 7 Mailchimp Add-on CF7-mailchimp-addon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CF7 7 Mailchimp Add-on: from n/a through < 2.4.
Title WordPress CF7 7 Mailchimp Add-on plugin <= 2.2 - Broken Access Control Vulnerability WordPress CF7 7 Mailchimp Add-on plugin < 2.4 - Broken Access Control Vulnerability
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Tue, 08 Jul 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 04 Jul 2025 09:00:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in kamleshyadav CF7 7 Mailchimp Add-on allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects CF7 7 Mailchimp Add-on: from n/a through 2.2.
Title WordPress CF7 7 Mailchimp Add-on plugin <= 2.2 - Broken Access Control Vulnerability
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:53.164Z

Reserved: 2025-03-11T08:11:02.522Z

Link: CVE-2025-29012

cve-icon Vulnrichment

Updated: 2025-07-08T14:06:18.502Z

cve-icon NVD

Status : Deferred

Published: 2025-07-04T09:15:32.900

Modified: 2026-04-23T15:26:46.987

Link: CVE-2025-29012

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-30T17:15:42Z

Weaknesses