Connect Contact Form 7 and Mailchimp Stored Cross-Site Scripting Vulnerability
The Connect Contact Form 7 and Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Mailchimp Merge Field Values in all versions up to, and including, 0.9.78.06 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The injected payload is only triggered when a privileged user (Administrator) performs a Contact Lookup for the email address submitted via the CF7 form, meaning execution is deferred until an administrator interacts with the affected entry.
Quick answer
Connect Contact Form 7 and Mailchimp should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Connect Contact Form 7 and Mailchimp up to and including 0.9.78.06
Fixed versions
- Apply the latest vendor-supported patched version.
How to fix it
Connect Contact Form 7 and Mailchimp is affected by CVE-2026-15000. Vulnerable versions up to 0.9.78.06 allow stored cross-site scripting: unauthenticated attackers can store script in Mailchimp merge field values that executes when an administrator performs a contact lookup. Patch or disable the plugin, then clean stored content and review administrator sessions.
- Inventory all WordPress sites using Connect Contact Form 7 and Mailchimp.
- Update Connect Contact Form 7 and Mailchimp beyond 0.9.78.06 when a vendor-fixed release is available.
- Disable the plugin temporarily if patching is delayed and the affected workflow is reachable.
- Review shortcode attributes, form submissions, merge fields, blocks, and plugin records for stored script payloads.
- Remove malicious content and purge WordPress, object, page, and CDN caches.
- Apply a Content Security Policy where compatible to reduce XSS impact.
- Review administrator sessions and reset credentials if privileged users interacted with injected content.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm Connect Contact Form 7 and Mailchimp is no longer running version 0.9.78.06 or older.
- Submit harmless script-like input in staging and confirm it is rejected or escaped on output.
- Open affected pages or admin lookup flows and confirm no stored script executes.
- Review rendered HTML for unsafe unescaped plugin attributes.
- Run a Fixnx scan and verify public WordPress exposure after cleanup.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-15000?
Connect Contact Form 7 and Mailchimp versions listed as affected should be reviewed: Connect Contact Form 7 and Mailchimp up to and including 0.9.78.06.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
