Stored Cross-Site Scripting Vulnerability in Connect Contact Form 7 and Mailchimp Plugin for WordPress
CVE-2026-15000
7.2HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 9 July 2026
What is CVE-2026-15000?
The Connect Contact Form 7 and Mailchimp plugin for WordPress contains a vulnerability that allows unauthenticated attackers to perform Stored Cross-Site Scripting. This occurs through improper handling of Mailchimp Merge Field Values, which leads to insufficient input sanitization and output escaping. When an administrator conducts a Contact Lookup for email addresses submitted through the CF7 form, any injected scripts may execute, posing a significant security risk. Affected versions include all releases up to 0.9.78.06, emphasizing the importance of timely updates to mitigate this issue.
Affected Version(s)
Connect Contact Form 7 and Mailchimp 0 <= 0.9.78.06