Description
Insertion of Sensitive Information Into Sent Data vulnerability in Renzo Johnson contact-form-7-mailchimp-extension contact-form-7-mailchimp-extension allows Retrieve Embedded Sensitive Data.This issue affects contact-form-7-mailchimp-extension: from n/a through <= 0.9.68.
Published: 2025-12-30
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Renzo Johnson contact‑form‑7‑mailchimp‑extension plugin contains a flaw that allows attackers to add sensitive information to outgoing data. When the vulnerability is triggered, the plugin can expose embedded sensitive data that should not be publicly transmitted. This constitutes an information disclosure weakness (CWE‑201) that could compromise confidentiality of data submitted through WordPress contact forms.

Affected Systems

WordPress sites that have the Renzo Johnson Contact Form 7 Mailchimp Extension plugin installed, up to and including version 0.9.68. The impact applies to all installations of the plugin listed as affected by the vulnerability, regardless of the WordPress version or theme in use.

Risk and Exploitability

The CVSS score of 4.3 indicates a low severity rating, and the EPSS score of less than 1% shows a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is via the form interface: an attacker may submit crafted input or simply exploit the plugin’s default submission handling to trigger sensitive data transmission. No additional prerequisites such as elevated privileges are mentioned, so the attack could potentially be performed by anyone with access to the form.

Generated by OpenCVE AI on April 29, 2026 at 15:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Contact Form 7 Mailchimp Extension to a version newer than 0.9.68.
  • If upgrading is not immediately possible, configure the plugin to remove or mask any fields that may contain sensitive data before sending.
  • Review and restrict form submissions so that only necessary data is captured and ensure that no sensitive credentials or personal information are inadvertently included.

Generated by OpenCVE AI on April 29, 2026 at 15:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in Renzo Johnson Contact Form 7 Extension For Mailchimp contact-form-7-mailchimp-extension allows Retrieve Embedded Sensitive Data.This issue affects Contact Form 7 Extension For Mailchimp: from n/a through <= 0.9.49. Insertion of Sensitive Information Into Sent Data vulnerability in Renzo Johnson contact-form-7-mailchimp-extension contact-form-7-mailchimp-extension allows Retrieve Embedded Sensitive Data.This issue affects contact-form-7-mailchimp-extension: from n/a through <= 0.9.68.
Title WordPress Contact Form 7 Extension For Mailchimp plugin <= 0.9.49 - Sensitive Data Exposure vulnerability WordPress Contact Form 7 Extension For Mailchimp plugin <= 0.9.68 - Sensitive Data Exposure vulnerability

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Mon, 05 Jan 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Renzojohnson
Renzojohnson contact Form 7 Extension For Mailchimp
Wordpress
Wordpress wordpress
Vendors & Products Renzojohnson
Renzojohnson contact Form 7 Extension For Mailchimp
Wordpress
Wordpress wordpress

Tue, 30 Dec 2025 23:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Dec 2025 11:00:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in Renzo Johnson Contact Form 7 Extension For Mailchimp contact-form-7-mailchimp-extension allows Retrieve Embedded Sensitive Data.This issue affects Contact Form 7 Extension For Mailchimp: from n/a through <= 0.9.49.
Title WordPress Contact Form 7 Extension For Mailchimp plugin <= 0.9.49 - Sensitive Data Exposure vulnerability
Weaknesses CWE-201
References

Subscriptions

Renzojohnson Contact Form 7 Extension For Mailchimp
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:33.789Z

Reserved: 2025-12-29T11:18:04.294Z

Link: CVE-2025-68989

cve-icon Vulnrichment

Updated: 2025-12-30T21:39:26.733Z

cve-icon NVD

Status : Deferred

Published: 2025-12-30T11:15:57.567

Modified: 2026-04-27T19:16:40.070

Link: CVE-2025-68989

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T15:15:14Z

Weaknesses