WP-Safety

Connect Contact Form 7 and Mailchimp Security & Risk Analysis

wordpress.org/plugins/contact-form-7-mailchimp-extension

Connect Contact Form 7 to Mailchimp. Automatically sync form submissions to your Mailchimp audiences with merge field mapping, double opt-in, and opt- …

50K active installs v0.9.76 PHP 7.4+ WP 6.1+ Updated Feb 26, 2026
cf7-mailchimpcontact-form-7contact-form-7-mailchimpmailchimpmailchimp-integration
96
A · Safe
CVEs total3
Unpatched0
Last CVEDec 21, 2025
Plugin page Download
Safety Verdict

Is Connect Contact Form 7 and Mailchimp Safe to Use in 2026?

Generally Safe

Score 96/100

Connect Contact Form 7 and Mailchimp has a strong security track record. Known vulnerabilities have been patched promptly.

3 known CVEsLast CVE: Dec 21, 2025Updated 1mo ago
Risk Assessment

The plugin "contact-form-7-mailchimp-extension" v0.9.76 exhibits a mixed security posture. While the static analysis shows a strong adherence to secure coding practices, with a high percentage of SQL queries using prepared statements and output properly escaped, and no critical or high-severity taint flows detected, its vulnerability history raises significant concerns. The plugin has a history of three medium-severity CVEs, including exposure of sensitive information, CSRF, and SSRF. The fact that the last reported vulnerability was in 2025 suggests potential for ongoing or recurring security issues, despite the current lack of unpatched vulnerabilities.

The attack surface is minimal with no identified AJAX handlers, REST API routes, or shortcodes exposed without authentication. However, the presence of 9 cron events warrants attention, as these can sometimes be overlooked in security audits and potentially exploited. The plugin also performs file operations and external HTTP requests, which are common vectors for vulnerabilities if not handled with extreme care. While the current analysis doesn't reveal immediate exploitable flaws in the provided data, the historical pattern of medium-severity vulnerabilities and the nature of those vulnerabilities (SSRF, information exposure) suggest a need for continued vigilance and thorough auditing of any future updates.

Key Concerns

  • History of 3 medium CVEs
  • Presence of 9 cron events
  • 3 file operations
  • 7 external HTTP requests
Vulnerabilities
3

Connect Contact Form 7 and Mailchimp Security Vulnerabilities

CVEs by Year

2 CVEs in 2024
2024
1 CVE in 2025
2025
Patched Has unpatched

Severity Breakdown

Medium
3

3 total CVEs

CVE-2025-68989medium · 4.3Exposure of Sensitive Information to an Unauthorized Actor

Contact Form 7 Extension For Mailchimp <= 0.9.54 - Authenticated (Contributor+) Information Exposure

Dec 21, 2025 Patched in 0.9.69 (24d)
CVE-2024-33677medium · 4.3Cross-Site Request Forgery (CSRF)

Contact Form 7 Extension For Mailchimp <= 0.5.73 - Cross-Site Request Forgery

Apr 26, 2024 Patched in 0.9.19 (531d)
CVE-2024-22134medium · 5.4Server-Side Request Forgery (SSRF)

Contact Form 7 Extension For Mailchimp <= 0.5.70 - Authenticated (Subscriber+) Server-Side Request Forgery

Jan 8, 2024 Patched in 0.9.19 (634d)
Code Analysis
Analyzed Mar 16, 2026

Connect Contact Form 7 and Mailchimp Code Analysis

Dangerous Functions
0
Raw SQL Queries
5
11 prepared
Unescaped Output
13
186 escaped
Nonce Checks
6
Capability Checks
14
File Operations
3
External Requests
7
Bundled Libraries
0

SQL Query Safety

69% prepared16 total queries

Output Escaping

93% escaped199 total outputs
Data Flows
All sanitized

Data Flow Analysis

2 flows
save_settings (includes\admin\class-cmatic-admin-panel.php:108)
Source (user input) Sink (dangerous op) Sanitizer Transform Unsanitized Sanitized
Attack Surface

Connect Contact Form 7 and Mailchimp Attack Surface

Entry Points0
Unprotected0
WordPress Hooks 52
filterwpcf7_editor_panelsincludes\admin\class-cmatic-admin-panel.php:18
actionwpcf7_after_saveincludes\admin\class-cmatic-admin-panel.php:19
actionwpcf7_admin_misc_pub_sectionincludes\admin\class-cmatic-admin-panel.php:20
actionwpcf7_admin_footerincludes\admin\class-cmatic-admin-panel.php:21
actionadmin_enqueue_scriptsincludes\admin\class-cmatic-asset-loader.php:22
actionadmin_enqueue_scriptsincludes\admin\class-cmatic-asset-loader.php:23
actionadmin_enqueue_scriptsincludes\admin\class-cmatic-asset-loader.php:24
filteradmin_body_classincludes\admin\class-cmatic-asset-loader.php:25
actionadmin_enqueue_scriptsincludes\admin\class-cmatic-deactivation-survey.php:38
actionadmin_footerincludes\admin\class-cmatic-deactivation-survey.php:39
actionrest_api_initincludes\admin\class-cmatic-deactivation-survey.php:40
actioninitincludes\admin\class-cmatic-deactivation-survey.php:251
actionafter_setup_themeincludes\admin\class-cmatic-plugin-links.php:22
filterplugin_row_metaincludes\admin\class-cmatic-plugin-links.php:23
actionrest_api_initincludes\api\class-cmatic-contact-lookup.php:80
actionrest_api_initincludes\api\class-cmatic-log-viewer.php:36
actionadmin_enqueue_scriptsincludes\api\class-cmatic-log-viewer.php:37
actionrest_api_initincludes\api\class-cmatic-rest-form.php:72
actionrest_api_initincludes\api\class-cmatic-rest-lists.php:25
actionrest_api_initincludes\api\class-cmatic-rest-reset.php:43
actionrest_api_initincludes\api\class-cmatic-rest-settings.php:53
filterwpcf7_feedback_responseincludes\api\class-cmatic-submission-feedback.php:18
actionadmin_initincludes\core\class-cmatic-activator.php:190
actionplugins_loadedincludes\core\class-cmatic-activator.php:206
actionadmin_initincludes\services\class-cmatic-cf7-dependency.php:21
actionadmin_noticesincludes\services\class-cmatic-cf7-dependency.php:23
filterwpcf7_special_mail_tagsincludes\services\class-cmatic-cf7-tags.php:16
actionwpcf7_initincludes\services\class-cmatic-cf7-tags.php:17
filterwpcf7_form_tagincludes\services\class-cmatic-cf7-tags.php:20
actioninitincludes\services\class-cmatic-cron.php:20
actionadmin_initincludes\services\class-cmatic-pro-syncer.php:22
actionwpcf7_before_send_mailincludes\services\class-cmatic-submission-handler.php:17
actionadmin_initincludes\signals\Bootstrap.php:57
actioncmatic_weekly_telemetryincludes\signals\Bootstrap.php:58
filtercron_schedulesincludes\signals\Bootstrap.php:101
filtercron_schedulesincludes\signals\Core\Scheduler.php:20
actioncmatic_metrics_heartbeatincludes\signals\Core\Scheduler.php:21
actionadmin_initincludes\signals\Core\Scheduler.php:22
actioncmatic_subscription_successincludes\signals\Core\Scheduler.php:23
actioncmatic_metrics_on_activationincludes\signals\Core\Tracker.php:20
actioncmatic_metrics_on_deactivationincludes\signals\Core\Tracker.php:21
actionadmin_bar_menuincludes\ui\class-cmatic-admin-bar-menu.php:29
actionwp_enqueue_scriptsincludes\ui\class-cmatic-admin-bar-menu.php:30
actionadmin_enqueue_scriptsincludes\ui\class-cmatic-admin-bar-menu.php:31
actionadmin_footerincludes\ui\class-cmatic-admin-bar-menu.php:32
actionwp_footerincludes\ui\class-cmatic-admin-bar-menu.php:33
filterwpcf7_form_response_outputincludes\ui\class-cmatic-banners.php:15
filterwpcf7_form_class_attrincludes\ui\class-cmatic-form-classes.php:15
actionadmin_enqueue_scriptsincludes\ui\class-cmatic-modal.php:29
actioninitincludes\ui\class-cmatic-notification-center.php:29
actionshutdownincludes\ui\class-cmatic-notification-center.php:30
actionwpcf7_admin_footerincludes\ui\class-cmatic-test-submission-modal.php:26

Scheduled Events 9

cmatic_weekly_telemetry
cmatic_metrics_heartbeat
cmatic_metrics_heartbeat
cmatic_metrics_heartbeat
cmatic_metrics_heartbeat
cmatic_metrics_heartbeat
cmatic_metrics_heartbeat
cmatic_metrics_heartbeat
cmatic_metrics_heartbeat
Maintenance & Trust

Connect Contact Form 7 and Mailchimp Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedFeb 26, 2026
PHP min version7.4
Downloads10.0M

Community Trust

Rating84/100
Number of ratings191
Active installs50K
Alternatives

Connect Contact Form 7 and Mailchimp Alternatives

Redirection for Contact Form 7

Redirection for Contact Form 7

wpcf7-redirect

A
88

Redirect to any page or URL, execute scripts after submission, save data to the database, and unlock additional submission actions for Contact Form 7.

200K 14 CVEs
Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms

Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms

cf7-mailchimp

A
100

Send Contact Form 7, WPforms, Elementor, Ninja Forms, CRM Perks Forms and many other contact form submissions to Mailchimp.

9K 1 CVE
Contact Form user to Mailchimp Audience

Contact Form user to Mailchimp Audience

contact-form-user-to-mailchimp-audience

A
85

Plugin sends Contact Form 7 (first name, last name, email, phone) to Mailchimp Audience.

0 No CVEs
reCaptcha Add-On for FormCraft

reCaptcha Add-On for FormCraft

formcraft-recaptcha

A
85

Add reCaptcha to your FormCraft forms.

7K No CVEs
Contact Form 7 Connector

Contact Form 7 Connector

ari-cf7-connector

A
99

MailChimp, MailerLite and Zapier integration with Contact Form 7. Use form data smartly. Generate unlimited leads and extend mailing lists.

5K 3 CVEs
Developer Profile

Connect Contact Form 7 and Mailchimp Developer Profile

Renzo Johnson

5 plugins · 51K total installs

78
trust score
Avg Security Score
99/100
Avg Patch Time
346 days
View full developer profile
Detection Fingerprints

How We Detect Connect Contact Form 7 and Mailchimp

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/contact-form-7-mailchimp-extension/assets/css/chimpmatic-lite-deactivate.css/wp-content/plugins/contact-form-7-mailchimp-extension/assets/css/chimpmatic-lite.css/wp-content/plugins/contact-form-7-mailchimp-extension/assets/js/chimpmatic-lite-notices.js/wp-content/plugins/contact-form-7-mailchimp-extension/assets/js/chimpmatic-lite.js/wp-content/plugins/contact-form-7-mailchimp-extension/assets/js/chimpmatic.js
Script Paths
/wp-content/plugins/contact-form-7-mailchimp-extension/assets/js/chimpmatic-lite.js/wp-content/plugins/contact-form-7-mailchimp-extension/assets/js/chimpmatic.js/wp-content/plugins/contact-form-7-mailchimp-extension/assets/js/chimpmatic-lite-notices.js
Version Parameters
chimpmatic-lite-css?ver=cmatic-modal-css?ver=chimpmatic-lite-js?ver=chimpmatic-pro?ver=chimpmatic-lite-notices?ver=

HTML / DOM Fingerprints

CSS Classes
chimpmatic-litechimpmatic
Data Attributes
chimpmaticLitechmConfigchimpmaticNotices
JS Globals
chimpmaticLitechmConfigchimpmaticNotices
REST Endpoints
/chimpmatic-lite/v1//chimpmatic-lite/v1/settings/reset/chimpmatic/v1//chimpmatic-lite/v1
FAQ

Frequently Asked Questions about Connect Contact Form 7 and Mailchimp