Description
Missing Authorization vulnerability in CRM Perks Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms cf7-mailchimp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through <= 1.2.2.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access
Action: Patch Immediately
AI Analysis

Impact

The CRM Perks "Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms" plugin contains a missing authorization flaw (CWE‑862). The plugin fails to properly verify a user’s privileges before allowing access to certain configuration endpoints. As a result, an attacker who can reach those endpoints may read or modify the plugin’s settings, potentially redirecting form submissions, exposing connection credentials, or altering the behavior of integrated services.

Affected Systems

WordPress sites that have installed the plugin in versions up to and including 1.2.2 are affected. The issue applies across the various form integration components – Mailchimp, WPForms, Elementor, and Ninja Forms – and is not limited to a particular form type or WordPress edition.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is submitting unauthorized HTTP requests to the plugin’s protected endpoints. Successful exploitation could result in unauthorized configuration changes, data exposure, or disruption of form processing.

Generated by OpenCVE AI on March 26, 2026 at 19:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the CRM Perks Integration plugin to the latest available release (at least 1.2.3).
  • If an update is not feasible at the moment, disable the plugin or limit its use to trusted administrators.
  • Review any external integration points or webhooks that interact with the plugin to confirm that they require authentication and restrict access accordingly.

Generated by OpenCVE AI on March 26, 2026 at 19:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Thu, 26 Mar 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Crm Perks
Crm Perks integration For Mailchimp And Contact Form 7, Wpforms, Elementor, Ninja Forms
Wordpress
Wordpress wordpress
Vendors & Products Crm Perks
Crm Perks integration For Mailchimp And Contact Form 7, Wpforms, Elementor, Ninja Forms
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Missing Authorization vulnerability in CRM Perks Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms cf7-mailchimp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through <= 1.2.2.
Title WordPress Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.2.2 - Broken Access Control vulnerability
Weaknesses CWE-862
References

Subscriptions

Crm Perks Integration For Mailchimp And Contact Form 7, Wpforms, Elementor, Ninja Forms
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-23T14:14:09.602Z

Reserved: 2026-02-02T12:53:34.262Z

Link: CVE-2026-25430

cve-icon Vulnrichment

Updated: 2026-03-26T16:32:05.410Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-25T17:16:50.593

Modified: 2026-04-23T15:37:09.490

Link: CVE-2026-25430

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:31:44Z

Weaknesses