The Connect Contact Form 7 and Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Mailchimp Merge Field Values in all versions up to, and including, 0.9.78.06 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload is only triggered when a privileged user (Administrator) performs a Contact Lookup for the email address submitted via the CF7 form, meaning execution is deferred until an administrator interacts with the affected entry.
History

Fri, 10 Jul 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Rnzo
Rnzo connect Contact Form 7 And Mailchimp
Wordpress
Wordpress wordpress
Vendors & Products Rnzo
Rnzo connect Contact Form 7 And Mailchimp
Wordpress
Wordpress wordpress

Thu, 09 Jul 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 09 Jul 2026 08:15:00 +0000

Type Values Removed Values Added
Description The Connect Contact Form 7 and Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Mailchimp Merge Field Values in all versions up to, and including, 0.9.78.06 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload is only triggered when a privileged user (Administrator) performs a Contact Lookup for the email address submitted via the CF7 form, meaning execution is deferred until an administrator interacts with the affected entry.
Title Connect Contact Form 7 and Mailchimp <= 0.9.78.06 - Unauthenticated Stored Cross-Site Scripting via Mailchimp Merge Field Values
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2026-07-09T06:52:48.758Z

Updated: 2026-07-09T14:33:50.288Z

Reserved: 2026-07-07T19:30:14.180Z

Link: CVE-2026-15000

cve-icon Vulnrichment

Updated: 2026-07-09T14:33:46.721Z

cve-icon NVD

No data.

cve-icon Redhat

No data.