Vulnerabilities and security researches forcf7-hubspot cf7-hubspot

Direction: descending

Jan 27, 2026

Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms # CVE-2026-24559

CVE, Research URL: CVE-2026-24559
Home page URL: Security reports for Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms
Application: Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms
Date: Jan 23, 2026
Research Description: Insertion of Sensitive Information Into Sent Data vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Retrieve Embedded Sensitive Data.This issue affects Integration for Contact Form 7 HubSpot: from n/a through <= 1.4.3.
Affected versions: max 1.4.3.
Status: vulnerable

Jan 10, 2026

Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms # CVE-2025-68590

CVE, Research URL: CVE-2025-68590
Home page URL: Security reports for Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms
Application: Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms
Date: Dec 24, 2025
Research Description: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in CRM Perks Integration for Contact Form 7 HubSpot cf7-hubspot allows Blind SQL Injection.This issue affects Integration for Contact Form 7 HubSpot: from n/a through <= 1.4.2.
Affected versions: max 1.4.2.
Status: vulnerable

Jun 06, 2024

Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms # 56cb8480-1791-4990-8fc7-2cb98a10c207

CVE, Research URL: 56cb8480-1791-4990-8fc7-2cb98a10c207
Home page URL: Security reports for Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms
Application: Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms
Date: -
Research Description: Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms [cf7-hubspot] < 1.2.0 Multiple Plugins from CRM Perks - Reflected Cross-Site Scripting Numerous plugins from the CRM Perks vendor do not escape parameters before outputting them back in attributes in admin pages, leading to a Reflected Cross-Site Scripting issues executed in the context of a logged in administrator. It first started with an obvious XSS via the vx_debug GET parameter in 7 plugins, and an attempt was made to fix the issues by sanitising user input via sanitize_text_field(), which is not sufficient when outputting in attributes. All vendor's plugins were checked and 27 out of 30 were found to be affected by output being sanitised but not escaped. Timeline: August 2nd, 2021 - Details sent to vendor August 16th, 2021 - Escalated to WP due to unresponsive vendor August 24th, 2021 - Some new versions released, with insufficient fixes, still allowing for Cross-Site Scripting by injecting arbitrary attributes. Vendor was told to escape such data but argued about it. August 26th, 2021 - Public disclosure August 28th, 2021 - gf-infusionsoft 1.1.5 released, fixing the issue August 29th, 2021 - cf7-mailchimp 1.1.1, cf7-salesforce 1.2.6, cf7-constant-contact 1.1.0, cf7-infusionsoft 1.1.4, cf7-hubspot 1.2.0, cf7-insightly 1.0.9, cf7-zendesk 1.0.8, cf7-zoho 1.1.9, integration-for-contact-form-7-and-pipedrive 1.1.1 released, fixing the issue August 30th, 2021 - wp-gravity-forms-spreadsheets 1.1.1 released, fixing the issue September 1st, 2021 - contact-form-entries 1.2.2, gf-salesforce-crmperks 1.2.6, gf-zoho 1.1.6, gf-hubspot 1.0.9, gf-zendesk 1.0.8, cf7-active-campaign 1.0.4, gf-freshdesk 1.2.9, gf-dynamics-crm 1.0.8, gf-constant-contact 1.0.6, integration-for-gravity-forms-and-pipedrive 1.0.7, gf-insightly 1.0.7, woo-salesforce-plugin-crm-perks 1.5.9, woo-zoho 1.2.4, wp-hubspot-woocommerce 1.0.5, wp-infusionsoft-woocommerce 1.0.9, wp-woocommerce-quickbooks 1.1.9 released, fixing the issue
Affected versions: max 1.2.0.
Status: vulnerable

Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms # CVE-2024-34756

CVE, Research URL: CVE-2024-34756
Home page URL: Security reports for Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms
Application: Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms
Date: May 17, 2024
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Integration for Contact Form 7 HubSpot.This issue affects Integration for Contact Form 7 HubSpot: from n/a through 1.3.1.
Affected versions: max 1.3.2.
Status: vulnerable

Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms # CVE-2023-31095

CVE, Research URL: CVE-2023-31095
Home page URL: Security reports for Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms
Application: Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms
Date: Dec 29, 2023
Research Description: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms.This issue affects Integration for HubSpot and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through 1.2.8.
Affected versions: max 1.2.9.
Status: vulnerable