CVE-2026-25430
Missing Authorization in Mailchimp CRM Perks Integration
Publication date: 2026-03-25
Last updated on: 2026-04-28
Assigner: Patchstack
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| crm_perks | integration_for_mailchimp | to 1.2.2 (inc) |
| crm_perks | contact_form_7 | to 1.2.2 (inc) |
| wpforms | wpforms | to 1.2.2 (inc) |
| elementor | elementor | to 1.2.2 (inc) |
| ninja_forms | ninja_forms | to 1.2.2 (inc) |
| crm_perks | integration_for_mailchimp | From 1.0.0 (inc) to 1.2.2 (inc) |
| crm_perks | contact_form_7 | From 1.0.0 (inc) to 1.2.2 (inc) |
| crm_perks | wpforms | From 1.0.0 (inc) to 1.2.2 (inc) |
| crm_perks | elementor | From 1.0.0 (inc) to 1.2.2 (inc) |
| crm_perks | ninja_forms | From 1.0.0 (inc) to 1.2.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-25430 is a Missing Authorization vulnerability in the WordPress Integration for Mailchimp and Contact Form 7, WPForms, Elementor, and Ninja Forms Plugin versions up to 1.2.2.
This vulnerability is caused by broken access control due to missing authorization, authentication, or nonce token checks in certain functions.
It allows unprivileged users to perform actions that should be restricted to higher privileged roles, such as subscribers or developers.
The flaw enables attackers to exploit the plugin in mass-exploit campaigns targeting thousands of websites regardless of their traffic or popularity.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized privilege escalation, allowing attackers with low privileges to perform restricted actions.
Attackers can exploit this flaw to manipulate or control aspects of the affected WordPress plugin, potentially compromising website functionality or data.
Because the vulnerability can be exploited in mass campaigns, many websites using the affected plugin are at risk regardless of their size or popularity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The vulnerability arises from missing authorization, authentication, or nonce token checks in certain functions of the affected plugin versions. Detection involves identifying attempts by unprivileged users to perform actions reserved for higher privileged roles.
Patchstack has issued a mitigation rule to block attacks targeting this vulnerability, which can be used to detect exploit attempts.
Specific commands for detection are not provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to update the Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin to version 1.2.3 or later, where the vulnerability is fixed.
Until the update can be applied, Patchstack offers an automatic mitigation rule to block attacks exploiting this vulnerability.
Using Patchstack's auto-update and automatic mitigation features can ensure rapid protection against exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves missing authorization and broken access control, which can allow unauthorized users to perform privileged actions. Such unauthorized access could potentially lead to exposure or manipulation of personal or sensitive data handled by the affected WordPress plugins.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, broken access control vulnerabilities generally pose risks to data confidentiality and integrity, which are critical requirements under these regulations.
Therefore, organizations using the affected plugins without applying the patch may face increased risk of non-compliance with data protection regulations due to potential unauthorized access to personal data.