CVE-2026-25430 MEDIUM

CVE-2026-25430: WordPress Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin <= 1.2.2 - Broken Access Control vulnerability

Vendor Crm Perks
Product Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms
Weakness CWE-862 · Missing authorization
Published March 25, 2026
Last update April 28, 2026

CVSS base score

6.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

Missing Authorization vulnerability in CRM Perks Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms cf7-mailchimp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through <= 1.2.2.

Explanation of Vulnerability in Simple Terms

02Summary

The Integration for Mailchimp and Contact Form 7 plugin for WordPress contains an authorization flaw that allows authenticated users to read sensitive data they should not have access to. An attacker with a low-privilege account can retrieve confidential information from the plugin without proper permission checks. This affects versions up to 1.2.2. Site administrators should update to a patched version when available.

What an attacker can do

03Attacker Capabilities

Read sensitive data from the plugin that should be restricted to higher-privilege users.

Potential impact on your site

04Site Impact

Confidential plugin data may be exposed to low-privilege users, potentially including API keys or customer information.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege WordPress account (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

March 25, 2026 CVE published
April 28, 2026 Record updated

Related vulnerabilities

08Related CVE