{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/connect-contact-form-7-and-mailchimp-plugin--0.9.78.06/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-15000"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Connect Contact Form 7 and Mailchimp plugin (\u003c= 0.9.78.06)"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","xss","webserver"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eThe Connect Contact Form 7 and Mailchimp plugin for WordPress, specifically versions up to and including 0.9.78.06, is affected by CVE-2026-15000, a critical Stored Cross-Site Scripting (XSS) vulnerability. This flaw stems from insufficient input sanitization and output escaping of Mailchimp Merge Field Values. Unauthenticated attackers can exploit this by injecting arbitrary web scripts into form submissions. These scripts are then stored in the database. The unique aspect of this vulnerability is its deferred execution; the malicious payload only triggers when a privileged user, typically an Administrator, performs a 'Contact Lookup' for the email address submitted via the affected Contact Form 7. This means the attacker’s script executes within the administrator's browser, posing a significant risk for administrative session compromise, website defacement, or further compromise of the WordPress installation. Defenders must prioritize patching to mitigate this unauthenticated remote code execution vector.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a WordPress site running the vulnerable \u0026quot;Connect Contact Form 7 and Mailchimp\u0026quot; plugin (versions \u0026lt;= 0.9.78.06).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious web script payload, encoding it for submission within a Mailchimp Merge Field Value.\u003c/li\u003e\n\u003cli\u003eThe attacker submits a Contact Form 7 form on the target WordPress site, embedding the malicious script into one of the Mailchimp Merge Field Values.\u003c/li\u003e\n\u003cli\u003eDue to insufficient input sanitization and output escaping, the plugin stores the crafted malicious script directly into the site's database.\u003c/li\u003e\n\u003cli\u003eA privileged user (e.g., an Administrator) accesses the WordPress administration panel and performs a \u0026quot;Contact Lookup\u0026quot; for the email address associated with the attacker's submission.\u003c/li\u003e\n\u003cli\u003eWhen the administrator's browser loads the page displaying the details of the affected contact entry, the stored malicious script is retrieved from the database and executed within the administrator's browser context.\u003c/li\u003e\n\u003cli\u003eThe attacker's script executes with the administrator's privileges, potentially allowing session hijacking, credential theft, or further compromise of the WordPress site.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-15000 allows unauthenticated attackers to inject arbitrary web scripts that execute in a privileged user's browser. This can lead to complete compromise of the affected WordPress site, including administrative access, data manipulation, defacement, or redirection of visitors to malicious sites. While no specific victim counts are provided, all WordPress installations utilizing the vulnerable plugin versions are at risk, with the primary impact being on website integrity and visitor trust.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-15000 by updating the Connect Contact Form 7 and Mailchimp plugin to a patched version greater than 0.9.78.06 immediately.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule 'Detect Stored XSS via WordPress Plugin Mailchimp Form Submission (CVE-2026-15000)' to your SIEM and tune it for your environment to identify suspicious POST requests containing XSS payloads.\u003c/li\u003e\n\u003cli\u003eRegularly review web server access logs for unusual patterns in form submissions, particularly POST requests to WordPress endpoints, looking for attempts to inject script tags or HTML entities.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-09T08:23:38Z","date_published":"2026-07-09T08:23:38Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-15000-wp-xss/","summary":"The Connect Contact Form 7 and Mailchimp plugin for WordPress is vulnerable to Stored Cross-Site Scripting (XSS) due to insufficient input sanitization. This vulnerability, affecting versions up to and including 0.9.78.06, allows unauthenticated attackers to inject arbitrary web scripts into pages. These scripts execute when a privileged user (Administrator) performs a Contact Lookup on an email address submitted via a CF7 form, indicating a deferred execution model. Detection engineers should focus on monitoring for unusual script injections in forms and administrator interactions with plugin data.","title":"CVE-2026-15000: WordPress Plugin Stored XSS","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-15000-wp-xss/"}],"language":"en","title":"CraftedSignal Threat Feed - Connect Contact Form 7 and Mailchimp Plugin (\u003c= 0.9.78.06)","version":"https://jsonfeed.org/version/1.1"}