What the vulnerability does
01Description
Missing Authorization vulnerability in CRM Perks Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms cf7-mailchimp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through <= 1.2.2.
Explanation of Vulnerability in Simple Terms
02Summary
The Integration for Mailchimp and Contact Form 7 plugin for WordPress contains an authorization flaw that allows authenticated users to read sensitive data they should not have access to. An attacker with a low-privilege account can retrieve confidential information from the plugin without proper permission checks. This affects versions up to 1.2.2. Site administrators should update to a patched version when available.
What an attacker can do
03Attacker Capabilities
Read sensitive data from the plugin that should be restricted to higher-privilege users.
Potential impact on your site
04Site Impact
Confidential plugin data may be exposed to low-privilege users, potentially including API keys or customer information.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege WordPress account (e.g., subscriber or contributor role).
Key dates
06Disclosure timeline
March 25, 2026
CVE published
April 28, 2026
Record updated