CVE-2026-15000
Received Received - Intake

Stored XSS in Connect Contact Form 7 and Mailchimp WordPress Plugin

Vulnerability report for CVE-2026-15000, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: Wordfence

Description

The Connect Contact Form 7 and Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Mailchimp Merge Field Values in all versions up to, and including, 0.9.78.06 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload is only triggered when a privileged user (Administrator) performs a Contact Lookup for the email address submitted via the CF7 form, meaning execution is deferred until an administrator interacts with the affected entry.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mailchimp contact_form_7 to 0.9.78.06 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The vulnerability exists in the Connect Contact Form 7 and Mailchimp plugin for WordPress, affecting all versions up to and including 0.9.78.06. It is a Stored Cross-Site Scripting (XSS) flaw caused by insufficient input sanitization and output escaping of Mailchimp Merge Field Values.

This allows unauthenticated attackers to inject arbitrary web scripts into pages. These scripts execute when a privileged user, specifically an Administrator, performs a Contact Lookup for the email address submitted via the Contact Form 7 form. The malicious code execution is deferred until the administrator interacts with the affected entry.

Impact Analysis

This vulnerability can lead to the execution of arbitrary scripts in the context of an administrator's browser session. Since the attack is triggered when an administrator performs a Contact Lookup, it can result in unauthorized actions such as stealing administrator credentials, hijacking sessions, or performing actions on behalf of the administrator.

The impact includes potential compromise of the WordPress site’s administrative functions and data integrity, as well as possible further exploitation of the site or connected systems.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15000. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart