Stored Cross-Site Scripting Vulnerability in Connect Contact Form 7 and Mailchimp Plugin for WordPress
CVE-2026-15000

7.2HIGH

What is CVE-2026-15000?

The Connect Contact Form 7 and Mailchimp plugin for WordPress contains a vulnerability that allows unauthenticated attackers to perform Stored Cross-Site Scripting. This occurs through improper handling of Mailchimp Merge Field Values, which leads to insufficient input sanitization and output escaping. When an administrator conducts a Contact Lookup for email addresses submitted through the CF7 form, any injected scripts may execute, posing a significant security risk. Affected versions include all releases up to 0.9.78.06, emphasizing the importance of timely updates to mitigate this issue.

Affected Version(s)

Connect Contact Form 7 and Mailchimp 0 <= 0.9.78.06

References

CVSS V3.1

Score:
7.2
Severity:
HIGH
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Kitch
.