{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-25430", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-02-02T12:53:34.262Z", "datePublished": "2026-03-25T16:14:49.329Z", "dateUpdated": "2026-03-25T16:14:49.329Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "cf7-mailchimp", "product": "Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms", "vendor": "CRM Perks", "versions": [{"changes": [{"at": "1.2.3", "status": "unaffected"}], "lessThanOrEqual": "<= 1.2.2", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:28.227Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Missing Authorization vulnerability in CRM Perks Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms cf7-mailchimp allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through <= 1.2.2.</p>"}], "value": "Missing Authorization vulnerability in CRM Perks Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms cf7-mailchimp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through <= 1.2.2."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "description": "Missing Authorization", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:14:49.329Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/cf7-mailchimp/vulnerability/wordpress-integration-for-mailchimp-and-contact-form-7-wpforms-elementor-ninja-forms-plugin-1-2-2-broken-access-control-vulnerability?_s_id=cve"}], "title": "WordPress Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.2.2 - Broken Access Control vulnerability"}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Missing Authorization vulnerability in CRM Perks Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms cf7-mailchimp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through <= 1.2.2."}], "id": "CVE-2026-25430", "lastModified": "2026-03-25T17:16:50.593", "metrics": {}, "published": "2026-03-25T17:16:50.593", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/cf7-mailchimp/vulnerability/wordpress-integration-for-mailchimp-and-contact-form-7-wpforms-elementor-ninja-forms-plugin-1-2-2-broken-access-control-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "audit@patchstack.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-03-25T18:52:49.758133+00:00", "value": {"mitigation_remediation": ["Update the CRM\u202fPerks Integration plugin to the latest version, which addresses the access\u2011control flaw.", "If an upgrade is not currently available, disable the plugin or remove it from the site to prevent exploitation.", "Restrict plugin functions to administrator roles only by adjusting WordPress role\u2011based permissions until a patch is applied.", "Monitor site logs for unusual activity involving the plugin\u2019s configuration endpoints, and apply additional file\u2011permission controls to the plugin directory as a temporary safeguard."], "summary": {"action": "Patch Now", "impact": "Unauthorized Access via Broken Access Control"}, "threat_synthesis": {"affected_systems": "WordPress sites running the \"Integration for Mailchimp and Contact Form\u202f7, WPForms, Elementor, Ninja Forms\" plugin provided by CRM\u202fPerks are affected. All releases from the initial version through 1.2.2 are vulnerable; the issue applies to all plugin integrations listed in the affected\u2011versions field, no later versions are mentioned.", "description_and_impact": "The vulnerability in the CRM\u202fPerks Integration plugin allows attackers to bypass authorization checks, enabling them to read or modify plugin configuration and potentially expose sensitive data. This misconfiguration in access control permits users without proper privileges to alter key settings, undermining the security of any connected Mailchimp or contact form integration. The absence of authentication safeguards creates a significant privilege\u2011escalation risk for compromised or unprivileged WordPress sites.", "risk_and_exploitability": "Although the CVSS score and EPSS are not disclosed, the lack of required authorization checks means exploitation is likely straightforward if the attacker can access any WordPress account. It is inferred that the attack vector involves authenticated or even unauthenticated access to the plugin\u2019s administrative API, allowing non\u2011admin users to execute privileged actions. The vulnerability is not listed in CISA\u2019s KEV catalog, but its potential to compromise data integrity and confidentiality makes it a high\u2011risk issue for all sites using the plugin before version 1.2.3."}}}}, "created": "2026-03-25T21:44:29.910146+00:00", "updated": "2026-03-25T21:44:29.910187+00:00", "vendors": []}