CVE-2026-25430

Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms <= 1.2.2 - Missing Authorization

mediumMissing Authorization
4.3
CVSS Score
4.3
CVSS Score
medium
Severity
1.2.3
Patched in
10d
Time to patch

Description

The Integration for Mailchimp and Contact Form 7, WPForms, Elementor, Ninja Forms plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 1.2.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.2.2
PublishedMarch 18, 2026
Last updatedMarch 27, 2026
Affected plugincf7-mailchimp

What Changed in the Fix

Changes introduced in v1.2.3

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2026-25430 ## 1. Vulnerability Summary The **Integration for Mailchimp and Contact Form 7** plugin (versions <= 1.2.2) is vulnerable to **Missing Authorization** in several AJAX handlers. The plugin registers administrative AJAX actions using the `wp_ajax_` hook w…

Show full research plan

Exploitation Research Plan - CVE-2026-25430

1. Vulnerability Summary

The Integration for Mailchimp and Contact Form 7 plugin (versions <= 1.2.2) is vulnerable to Missing Authorization in several AJAX handlers. The plugin registers administrative AJAX actions using the wp_ajax_ hook without implementing subsequent current_user_can() capability checks in the callback functions. This allows any authenticated user, including those with Subscriber-level permissions, to execute these actions.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Vulnerable Actions:
    • update_feed_vxcf_mailchimp (Modify/Create Mailchimp feeds)
    • send_to_crm_vxcf_mailchimp (Trigger data synchronization to Mailchimp)
    • log_detail_vxcf_mailchimp (Retrieve log details)
    • refresh_data_vxcf_mailchimp (Refresh Mailchimp metadata)
  • Authentication: Authenticated (Subscriber or higher).
  • Payload: URL-encoded POST parameters specifying the action and required data IDs.
  • Severity: CVSS 4.3 (Medium) - focuses on Integrity (I:L).

3. Code Flow

  1. Registration: In includes/plugin-pages.php, the vxcf_mailchimp_pages class registers AJAX handlers in its constructor:
    // includes/plugin-pages.php
    if(in_array($pagenow, array("admin-ajax.php"))){
      add_action('wp_ajax_update_feed_'.$this->id, array($this, 'update_feed'));
      add_action('wp_ajax_send_to_crm_'.$this->id, array($this, 'send_to_crm'));
      // ... where $this->id is 'vxcf_mailchimp'
    }
    
  2. Access: Since the hooks use wp_ajax_ (and not wp_ajax_nopriv_), they are available to all logged-in users.
  3. Execution: When a Subscriber calls admin-ajax.php?action=send_to_crm_vxcf_mailchimp, WordPress invokes the callback.
  4. Failure: The callback functions (e.g., send_to_crm()) in vxcf_mailchimp_pages fail to verify if the user has administrative privileges (e.g., manage_options) before performing the requested action.

4. Nonce Acquisition Strategy

While the vulnerability is "Missing Authorization," the plugin likely implements a nonce check (check_ajax_referer) that must be satisfied.

Steps to obtain the nonce as a Subscriber:

  1. Access Profile: All WordPress users can access /wp-admin/profile.php.
  2. Identify JS Localization: The plugin enqueues scripts for its admin pages. We must check if these scripts or their localized variables are also enqueued on the general dashboard or profile pages for all users.
  3. JavaScript Variable: Based on CRM Perks' common patterns, the nonce is likely localized in an object named vxcf_mailchimp_js or vxcf_mailchimp_vars.
  4. Shortcode Method: If the scripts are not on the profile page, we can use the execution agent to create a page with a plugin shortcode (e.g., [vxcf_mailchimp]) which might trigger script loading on the frontend.
  5. Extraction:
    // Recommended browser_eval script
    window.vxcf_mailchimp_js?.nonce || window.vxcf_mailchimp_vars?.nonce
    
  6. Bypass Check: If the plugin calls check_ajax_referer with the action string -1 or $this->id, it may accept any valid nonce generated for that user.

5. Exploitation Strategy

We will demonstrate the vulnerability by attempting to retrieve log details or trigger a CRM push using a Subscriber account.

Step-by-Step Plan:

  1. Setup: Create a Subscriber user and a dummy "Contact Form 7" entry (to populate logs).
  2. Login: Authenticate as the Subscriber.
  3. Nonce Extraction: Navigate to /wp-admin/ and use browser_eval to search for the nonce in the global JS scope.
  4. Trigger Unauthorized Action: Use http_request to call the log_detail_vxcf_mailchimp action.

Target Request:

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Method: POST
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body:
    action=log_detail_vxcf_mailchimp&nonce=[EXTRACTED_NONCE]&id=1
    

6. Test Data Setup

  1. Plugin Configuration: Activate "Integration for Mailchimp" and "Contact Form 7".
  2. Mock Feed: Create a basic Mailchimp feed (requires a dummy API key).
  3. Mock Entry: Create a CF7 form and submit it once to generate an entry/log in the database.
  4. Attacker User:
    wp user create attacker attacker@example.com --role=subscriber --user_pass=password123
    

7. Expected Results

  • Success: The server returns a 200 OK status and a JSON response containing log details or a success message (e.g., {"success":true,...}).
  • Failure: The server returns 403 Forbidden or 0 (if unauthorized).

8. Verification Steps

  1. Access Log: As Admin, check if the Mailchimp logs indicate a "resend" or "access" event triggered at the time of the exploit.
  2. CLI Verification: Check the database for log existence:
    wp db query "SELECT * FROM wp_vxcf_mailchimp_logs LIMIT 1;"
    
    If the Subscriber's request returned the same data found in this query, the authorization bypass is confirmed.

9. Alternative Approaches

If log_detail is restricted, attempt update_feed_sort_vxcf_mailchimp:

  • Payload: action=update_feed_sort_vxcf_mailchimp&sort_data[0]=1
  • Check: Verify if the order of feeds in the wp_options or the plugin's custom table changed using wp db query.
  • Note: Check if check_ajax_referer is used with die=false. If so, the exploit can proceed even with an invalid nonce.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Integration for Mailchimp and Contact Form 7 plugin is vulnerable to missing authorization in its AJAX handlers. This allows authenticated users with Subscriber-level permissions or higher to execute administrative actions such as viewing internal logs, modifying plugin feeds, or triggering data synchronization to Mailchimp.

Vulnerable Code

// includes/plugin-pages.php line 27
public function __construct() {
  
  $this->data=$this->get_data_object();
global $pagenow; 
  if(in_array($pagenow, array("admin-ajax.php"))){
  add_action('wp_ajax_update_feed_'.$this->id, array($this, 'update_feed'));
  add_action('wp_ajax_update_feed_sort_'.$this->id, array($this, 'update_feed_sort'));
  add_action('wp_ajax_get_field_map_'.$this->id, array($this, 'get_field_map_ajax'));
  add_action('wp_ajax_get_field_map_object_'.$this->id, array($this, 'get_field_map_object_ajax'));
  add_action('wp_ajax_get_objects_'.$this->id, array($this, 'get_objects_ajax'));
  add_action('wp_ajax_log_detail_'.$this->id, array($this, 'log_detail'));
   add_action('wp_ajax_refresh_data_'.$this->id, array($this, 'refresh_data')); 
  add_action('wp_ajax_send_to_crm_'.$this->id, array($this, 'send_to_crm')); 
  }

---

// includes/plugin-pages.php line 1418
  public function log_detail(){
$log_id=$this->post('id');
$log=$this->data->get_log_by_id($log_id); 
  $data=json_decode($log['data'],true);

Security Fix

diff -ru /home/deploy/wp-safety.org/data/plugin-versions/cf7-mailchimp/1.2.2/includes/plugin-pages.php /home/deploy/wp-safety.org/data/plugin-versions/cf7-mailchimp/1.2.3/includes/plugin-pages.php
--- /home/deploy/wp-safety.org/data/plugin-versions/cf7-mailchimp/1.2.2/includes/plugin-pages.php	2024-08-04 07:26:10.000000000 +0000
+++ /home/deploy/wp-safety.org/data/plugin-versions/cf7-mailchimp/1.2.3/includes/plugin-pages.php	2026-03-22 05:31:46.000000000 +0000
@@ -1416,6 +1416,7 @@
   * 
   */
   public function log_detail(){
+      check_ajax_referer('vx_crm_ajax','vx_crm_ajax');
 $log_id=$this->post('id');
 $log=$this->data->get_log_by_id($log_id); 
   $data=json_decode($log['data'],true);

Exploit Outline

The exploit involves an authenticated user (Subscriber or above) targeting the WordPress AJAX endpoint (/wp-admin/admin-ajax.php). An attacker first retrieves a valid security nonce (likely `vx_crm_ajax`) which is often localized in the global JavaScript scope (e.g., `vxcf_mailchimp_js`) for users accessing the WordPress dashboard. The attacker then sends a POST request with the 'action' parameter set to a vulnerable plugin hook, such as 'log_detail_vxcf_mailchimp', along with the required 'id' and 'nonce' parameters. Because the plugin does not verify the user's capabilities (e.g., via current_user_can('manage_options')), the server processes the request and returns sensitive data or performs administrative configuration changes.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.