Skip to content
Threat Feed
high advisory

CVE-2026-15000: WordPress Plugin Stored XSS

The Connect Contact Form 7 and Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization. This vulnerability, affecting versions up to and including 0.9.78.06, allows unauthenticated attackers to inject arbitrary web scripts into pages. These scripts execute when a privileged user (Administrator) performs a Contact Lookup on an email address submitted via a CF7 form, indicating a deferred execution model. Detection engineers should focus on monitoring for unusual script injections in forms and administrator interactions with plugin data.

The Connect Contact Form 7 and Mailchimp plugin for WordPress, specifically versions up to and including 0.9.78.06, is affected by CVE-2026-15000, a critical Stored Cross-Site Scripting (XSS) vulnerability. This flaw stems from insufficient input sanitization and output escaping of Mailchimp Merge Field Values. Unauthenticated attackers can exploit this by injecting arbitrary web scripts into form submissions. These scripts are then stored in the database. The unique aspect of this vulnerability is its deferred execution; the malicious payload only triggers when a privileged user, typically an Administrator, performs a 'Contact Lookup' for the email address submitted via the affected Contact Form 7. This means the attacker’s script executes within the administrator's browser, posing a significant risk for administrative session compromise, website defacement, or further compromise of the WordPress installation. Defenders must prioritize patching to mitigate this unauthenticated remote code execution vector.

Attack Chain

  1. An unauthenticated attacker identifies a WordPress site running the vulnerable "Connect Contact Form 7 and Mailchimp" plugin (versions <= 0.9.78.06).
  2. The attacker crafts a malicious web script payload, encoding it for submission within a Mailchimp Merge Field Value.
  3. The attacker submits a Contact Form 7 form on the target WordPress site, embedding the malicious script into one of the Mailchimp Merge Field Values.
  4. Due to insufficient input sanitization and output escaping, the plugin stores the crafted malicious script directly into the site's database.
  5. A privileged user (e.g., an Administrator) accesses the WordPress administration panel and performs a "Contact Lookup" for the email address associated with the attacker's submission.
  6. When the administrator's browser loads the page displaying the details of the affected contact entry, the stored malicious script is retrieved from the database and executed within the administrator's browser context.
  7. The attacker's script executes with the administrator's privileges, potentially allowing session hijacking, credential theft, or further compromise of the WordPress site.

Impact

Successful exploitation of CVE-2026-15000 allows unauthenticated attackers to inject arbitrary web scripts that execute in a privileged user's browser. This can lead to complete compromise of the affected WordPress site, including administrative access, data manipulation, defacement, or redirection of visitors to malicious sites. While no specific victim counts are provided, all WordPress installations utilizing the vulnerable plugin versions are at risk, with the primary impact being on website integrity and visitor trust.

Recommendation

  • Patch CVE-2026-15000 by updating the Connect Contact Form 7 and Mailchimp plugin to a patched version greater than 0.9.78.06 immediately.
  • Deploy the Sigma rule 'Detect Stored XSS via WordPress Plugin Mailchimp Form Submission (CVE-2026-15000)' to your SIEM and tune it for your environment to identify suspicious POST requests containing XSS payloads.
  • Regularly review web server access logs for unusual patterns in form submissions, particularly POST requests to WordPress endpoints, looking for attempts to inject script tags or HTML entities.

Detection coverage 1

Detect Stored XSS via WordPress Plugin Mailchimp Form Submission (CVE-2026-15000)

high

Detects CVE-2026-15000 exploitation - HTTP POST requests containing common XSS patterns in the URI query parameters, indicating an attempt to inject malicious scripts into Mailchimp Merge Field Values via the vulnerable WordPress plugin.

sigma tactics: execution, initial_access techniques: T1059.007 sources: webserver

Detection queries are available on the platform. Get full rules →