Impact
The Connect Contact Form 7 and Mailchimp WordPress plugin stores input from Mailchimp Merge Field Values without proper sanitization or output escaping. This flaw allows an unauthenticated attacker to inject arbitrary scripts that are stored in the database and later executed when an administrator performs a Contact Lookup for the submitted email. The stored payload triggers only when an authorized user with Administrator rights interacts with the affected entry, giving the attacker the ability to run malicious JavaScript in the context of the admin session, potentially allowing credential theft, session hijacking, defacement, or execution of additional payloads. The impact is therefore focused on confidentiality and integrity of privileged user sessions rather than system-wide denial of service.
Affected Systems
The vulnerability affects the WordPress plugin "Connect Contact Form 7 and Mailchimp" produced by vendor rnzo, with all releases up to and including version 0.9.78.06. Any WordPress site that has this plugin installed and operating within that version range is susceptible if it processes Mailchimp Merge Field Values.
Risk and Exploitability
The CVSS score of 7.2 indicates a high severity vulnerability. The EPSS score of less than 1% suggests that exploitation is considered unlikely in the short term, and the issue is not listed in the CISA KEV catalog. Nonetheless, because the flaw requires only form submission and no privileged access to upload files or install plugins, attackers can easily create the malicious input, though the actual code execution is deferred until an administrator logs into the site. This deferred execution creates a moderate to high risk to administrative accounts that can be compromised if multiple administrators review the same entries or if credentials are weak.
OpenCVE Enrichment