CVE-2026-15000 Overview
CVE-2026-15000 is a stored Cross-Site Scripting (XSS) vulnerability [CWE-79] in the Connect Contact Form 7 and Mailchimp plugin for WordPress. The flaw affects all versions up to and including 0.9.78.06. Unauthenticated attackers can inject arbitrary web scripts through Mailchimp Merge Field Values submitted via a Contact Form 7 (CF7) form. The plugin fails to sanitize input and escape output when the submitted data is later rendered. Execution is deferred until a WordPress Administrator performs a Contact Lookup on the affected email address, at which point the injected script runs in the administrator's browser session.
Critical Impact
Unauthenticated attackers can execute arbitrary JavaScript in a WordPress Administrator's authenticated session, enabling session theft, account takeover, and further site compromise.
Affected Products
- Connect Contact Form 7 and Mailchimp plugin for WordPress
- All versions up to and including 0.9.78.06
- WordPress sites using the Mailchimp Merge Field integration and Contact Lookup feature
Discovery Timeline
- 2026-07-09 - CVE-2026-15000 published to NVD
- 2026-07-09 - Last updated in NVD database
Technical Details for CVE-2026-15000
Vulnerability Analysis
The vulnerability resides in how the plugin processes Mailchimp Merge Field Values submitted through Contact Form 7 forms. Attackers can insert JavaScript payloads into merge field values during an unauthenticated form submission. The plugin stores these values without sufficient sanitization. When an Administrator later invokes the Contact Lookup feature to review the submitted email, the plugin renders the stored merge field values without adequate output escaping. The browser then interprets the payload as executable script within the administrator's authenticated context.
This stored XSS pattern is particularly effective because the malicious payload persists in the site's data store. Every subsequent Contact Lookup on the poisoned record re-executes the script, extending the window of exploitation.
Root Cause
The root cause is a combination of missing input sanitization on submission handling and missing output escaping on the administrator-facing rendering path. Relevant code paths identified in vendor references include class-cmatic-merge-vars-builder.php (submission processing), class-cmatic-contact-lookup.php (lookup rendering), and the chimpmatic-lite.js client-side handlers. The plugin trusts merge field content received via the CF7 submission pipeline and reflects it into the WordPress admin interface without applying WordPress escape functions such as esc_html() or esc_attr().
Attack Vector
Exploitation requires no authentication and no privileges on the target site. An attacker submits a crafted Contact Form 7 form that includes a JavaScript payload inside a Mailchimp merge field value, such as the first name or a custom merge tag mapped to the form. The payload is stored server-side. When an Administrator later performs a Contact Lookup on the attacker-supplied email address, the payload executes with administrator privileges in the browser. This enables session cookie theft, forced administrative actions via CSRF-free authenticated requests, plugin or theme installation, and creation of persistent backdoor accounts. See the Wordfence Vulnerability Analysis for additional technical context.
Detection Methods for CVE-2026-15000
Indicators of Compromise
- CF7 form submissions containing HTML tags such as <script>, <img onerror=>, or <svg onload=> in merge field values including first name, last name, or custom fields
- Unusual outbound requests from administrator browsers to external hosts shortly after opening the Mailchimp Contact Lookup panel
- New WordPress administrator accounts, unexpected plugin installations, or modified wp_options entries created shortly after admin lookups
- Presence of stored merge field values containing URL-encoded or Base64-encoded JavaScript payloads in plugin database tables
Detection Strategies
- Inspect the plugin's contact lookup and merge variable database tables for entries containing HTML or JavaScript syntax in merge field values
- Monitor web server logs for CF7 submission endpoints receiving payloads matching XSS patterns
- Enable WordPress audit logging to correlate administrator Contact Lookup actions with subsequent privileged changes
- Deploy a Content Security Policy (CSP) that blocks inline script execution in the WordPress admin area and log CSP violation reports
Monitoring Recommendations
- Alert on creation of new administrator-level users or role changes outside of documented change windows
- Track file integrity for wp-content/plugins, wp-content/themes, and wp-content/mu-plugins directories
- Forward web server, WordPress, and endpoint telemetry to a centralized data lake for correlation across CF7 submissions and subsequent admin activity
- Monitor for unexpected outbound HTTP requests from workstations used by WordPress administrators
How to Mitigate CVE-2026-15000
Immediate Actions Required
- Update the Connect Contact Form 7 and Mailchimp plugin to a version later than 0.9.78.06 that includes the fix referenced in the WordPress Changeset Review
- Audit stored CF7 submissions and Mailchimp merge field data for existing malicious payloads and purge affected records
- Rotate WordPress administrator passwords and invalidate active sessions if the Contact Lookup feature has been used since the plugin was installed
- Review recent administrator activity for signs of exploitation, including new users, plugin installations, and configuration changes
Patch Information
The vendor addressed the vulnerability in the version following 0.9.78.06. The fix, tracked in changeset 3599649, adds input sanitization on merge variable submission and output escaping in the Contact Lookup rendering path. Site operators should upgrade through the WordPress plugin updater or by replacing the plugin directory with the patched release. Verify the installed version after upgrade to confirm the fix is applied.
Workarounds
- Deactivate the Connect Contact Form 7 and Mailchimp plugin until the patched version is installed
- Restrict access to the Mailchimp Contact Lookup admin page using role-based access controls or a WordPress security plugin
- Deploy a Web Application Firewall (WAF) rule that blocks CF7 submissions containing HTML or JavaScript syntax in merge field parameters
- Apply a strict Content Security Policy in the WordPress admin interface to prevent inline script execution
# Example WAF rule pattern to block script tags in CF7 merge field submissions
# ModSecurity-style rule (adapt to your WAF syntax)
SecRule ARGS_NAMES "@rx (your-first-name|your-last-name|merge_)" \
"chain,id:1015000,phase:2,deny,status:403,msg:'CVE-2026-15000 XSS attempt in CF7 Mailchimp merge field'"
SecRule ARGS "@rx (?i)(<script|onerror=|onload=|javascript:|<svg|<img[^>]+on)" \
"t:none,t:urlDecodeUni,t:htmlEntityDecode"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

