CVE-2026-25430
Received Received - Intake
Missing Authorization in Mailchimp CRM Perks Integration

Publication date: 2026-03-25

Last updated on: 2026-04-28

Assigner: Patchstack

Description
Missing Authorization vulnerability in CRM Perks Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms cf7-mailchimp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through <= 1.2.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-25
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-03-25
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25430
EUVD
EUVD-2026-15725
Affected Vendors & Products
Showing 10 associated CPEs
Vendor Product Version / Range
crm_perks integration_for_mailchimp to 1.2.2 (inc)
crm_perks contact_form_7 to 1.2.2 (inc)
wpforms wpforms to 1.2.2 (inc)
elementor elementor to 1.2.2 (inc)
ninja_forms ninja_forms to 1.2.2 (inc)
crm_perks integration_for_mailchimp From 1.0.0 (inc) to 1.2.2 (inc)
crm_perks contact_form_7 From 1.0.0 (inc) to 1.2.2 (inc)
crm_perks wpforms From 1.0.0 (inc) to 1.2.2 (inc)
crm_perks elementor From 1.0.0 (inc) to 1.2.2 (inc)
crm_perks ninja_forms From 1.0.0 (inc) to 1.2.2 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-25430 is a Missing Authorization vulnerability in the WordPress Integration for Mailchimp and Contact Form 7, WPForms, Elementor, and Ninja Forms Plugin versions up to 1.2.2.

This vulnerability is caused by broken access control due to missing authorization, authentication, or nonce token checks in certain functions.

It allows unprivileged users to perform actions that should be restricted to higher privileged roles, such as subscribers or developers.

The flaw enables attackers to exploit the plugin in mass-exploit campaigns targeting thousands of websites regardless of their traffic or popularity.

Impact Analysis

This vulnerability can lead to unauthorized privilege escalation, allowing attackers with low privileges to perform restricted actions.

Attackers can exploit this flaw to manipulate or control aspects of the affected WordPress plugin, potentially compromising website functionality or data.

Because the vulnerability can be exploited in mass campaigns, many websites using the affected plugin are at risk regardless of their size or popularity.

Detection Guidance

The vulnerability arises from missing authorization, authentication, or nonce token checks in certain functions of the affected plugin versions. Detection involves identifying attempts by unprivileged users to perform actions reserved for higher privileged roles.

Patchstack has issued a mitigation rule to block attacks targeting this vulnerability, which can be used to detect exploit attempts.

Specific commands for detection are not provided in the available resources.

Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin to version 1.2.3 or later, where the vulnerability is fixed.

Until the update can be applied, Patchstack offers an automatic mitigation rule to block attacks exploiting this vulnerability.

Using Patchstack's auto-update and automatic mitigation features can ensure rapid protection against exploitation.

Compliance Impact

The vulnerability involves missing authorization and broken access control, which can allow unauthorized users to perform privileged actions. Such unauthorized access could potentially lead to exposure or manipulation of personal or sensitive data handled by the affected WordPress plugins.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, broken access control vulnerabilities generally pose risks to data confidentiality and integrity, which are critical requirements under these regulations.

Therefore, organizations using the affected plugins without applying the patch may face increased risk of non-compliance with data protection regulations due to potential unauthorized access to personal data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25430. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart