CVE-2026-15000 in Connect Contact Form 7 Plugininfo

Summary

by MITRE • 07/09/2026

The Connect Contact Form 7 and Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Mailchimp Merge Field Values in all versions up to, and including, 0.9.78.06 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload is only triggered when a privileged user (Administrator) performs a Contact Lookup for the email address submitted via the CF7 form, meaning execution is deferred until an administrator interacts with the affected entry.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

The Connect Contact Form 7 and Mailchimp plugin for WordPress presents a critical stored cross-site scripting vulnerability that affects all versions up to and including 097806. This security flaw resides in the handling of Mailchimp merge field values within the plugin's data processing pipeline, creating an exploitable condition where malicious payloads can be persisted and executed. The vulnerability stems from inadequate input sanitization mechanisms and insufficient output escaping routines that fail to properly neutralize potentially dangerous characters and script sequences before they are stored in the database and subsequently rendered in user-facing interfaces.

The technical nature of this vulnerability places it firmly within the CWE-79 category of Cross-Site Scripting, specifically classified as a stored variant where malicious code is permanently injected into the application's data store rather than being reflected in a single request. The exploit requires minimal privileges from an attacker since no authentication is needed to submit the malicious payload through the Contact Form 7 interface. However, the execution of the injected script is deferred until a privileged user with administrator-level permissions performs a specific action - namely conducting a Contact Lookup for the email address that was submitted via the compromised form. This timing mechanism creates a unique attack vector where the malicious code remains dormant until an administrator interacts with the affected data entry.

The operational impact of this vulnerability extends beyond simple script execution, as it provides attackers with the capability to perform session hijacking, steal sensitive administrative credentials, and potentially establish persistent backdoors within the WordPress environment. When an administrator performs the Contact Lookup action, the malicious payload executes within the context of their privileged browser session, enabling the attacker to perform any action that the administrator is authorized to do. This includes accessing confidential user data, modifying content, installing malicious plugins, or even completely compromising the entire WordPress installation through the elevated privileges gained from the executed script.

The vulnerability demonstrates a classic case of insufficient input validation combined with inadequate output sanitization, creating an environment where user-supplied data flows directly into rendered HTML without proper security filtering. This pattern aligns with ATT&CK technique T1566.001 for Initial Access through spearphishing attachments and T1078.004 for Valid Accounts using legitimate credentials to access systems. Organizations using this plugin are particularly vulnerable since the attack can remain undetected for extended periods while malicious code persists in the database, waiting for administrator interaction before activation.

Mitigation strategies should prioritize immediate patching of all affected versions to address the core sanitization and escaping deficiencies within the plugin's data handling processes. Administrators should implement additional monitoring of user submissions and contact lookup activities to detect anomalous behavior patterns that might indicate exploitation attempts. Network-level protections such as web application firewalls can provide additional defense-in-depth measures by filtering suspicious script patterns in HTTP requests, though these solutions are not foolproof against sophisticated attacks. Regular security audits of plugin installations and implementation of principle of least privilege access controls for administrative functions will further reduce the attack surface and potential impact of such vulnerabilities within WordPress environments.

Responsible

Wordfence

Reservation

07/07/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!