Description
The Connect Contact Form 7 and Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Mailchimp Merge Field Values in all versions up to, and including, 0.9.78.06 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload is only triggered when a privileged user (Administrator) performs a Contact Lookup for the email address submitted via the CF7 form, meaning execution is deferred until an administrator interacts with the affected entry.
Published: 2026-07-09
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Connect Contact Form 7 and Mailchimp WordPress plugin stores input from Mailchimp Merge Field Values without proper sanitization or output escaping. This flaw allows an unauthenticated attacker to inject arbitrary scripts that are stored in the database and later executed when an administrator performs a Contact Lookup for the submitted email. The stored payload triggers only when an authorized user with Administrator rights interacts with the affected entry, giving the attacker the ability to run malicious JavaScript in the context of the admin session, potentially allowing credential theft, session hijacking, defacement, or execution of additional payloads. The impact is therefore focused on confidentiality and integrity of privileged user sessions rather than system-wide denial of service.

Affected Systems

The vulnerability affects the WordPress plugin "Connect Contact Form 7 and Mailchimp" produced by vendor rnzo, with all releases up to and including version 0.9.78.06. Any WordPress site that has this plugin installed and operating within that version range is susceptible if it processes Mailchimp Merge Field Values.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity vulnerability. The EPSS score of less than 1% suggests that exploitation is considered unlikely in the short term, and the issue is not listed in the CISA KEV catalog. Nonetheless, because the flaw requires only form submission and no privileged access to upload files or install plugins, attackers can easily create the malicious input, though the actual code execution is deferred until an administrator logs into the site. This deferred execution creates a moderate to high risk to administrative accounts that can be compromised if multiple administrators review the same entries or if credentials are weak.

Generated by OpenCVE AI on July 9, 2026 at 23:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Connect Contact Form 7 and Mailchimp plugin to a version newer than 0.9.78.06.
  • Ensure that Mailchimp Merge Field values are properly sanitized and escaped before being stored and displayed.
  • Restrict the use of administrator accounts to a minimal set of trusted users and monitor for suspicious contact lookups or script execution attempts.

Generated by OpenCVE AI on July 9, 2026 at 23:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 09 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 09 Jul 2026 08:15:00 +0000

Type Values Removed Values Added
Description The Connect Contact Form 7 and Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Mailchimp Merge Field Values in all versions up to, and including, 0.9.78.06 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload is only triggered when a privileged user (Administrator) performs a Contact Lookup for the email address submitted via the CF7 form, meaning execution is deferred until an administrator interacts with the affected entry.
Title Connect Contact Form 7 and Mailchimp <= 0.9.78.06 - Unauthenticated Stored Cross-Site Scripting via Mailchimp Merge Field Values
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-09T14:33:50.288Z

Reserved: 2026-07-07T19:30:14.180Z

Link: CVE-2026-15000

cve-icon Vulnrichment

Updated: 2026-07-09T14:33:46.721Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-09T23:15:07Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')