Vulnerabilities and security researches forcf7-salesforce cf7-salesforce

Direction: ascending

Jun 07, 2024

Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms # CVE-2023-37982

CVE, Research URL: CVE-2023-37982
Home page URL: Security reports for Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
Application: Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
Date: Dec 20, 2023
Research Description: URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks Integration for Salesforce and Contact Form 7, WPForms, Elementor, Ninja Forms.This issue affects Integration for Salesforce and Contact Form 7, WPForms, Elementor, Ninja Forms: from n/a through 1.3.3.
Affected versions: Min -, max -.
Status: vulnerable

Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms # CVE-2024-34755

CVE, Research URL: CVE-2024-34755
Home page URL: Security reports for Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
Application: Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
Date: May 17, 2024
Research Description: Cross-Site Request Forgery (CSRF) vulnerability in CRM Perks Integration for Contact Form 7 and Salesforce.This issue affects Integration for Contact Form 7 and Salesforce: from n/a through 1.3.9.
Affected versions: Min -, max -.
Status: vulnerable

Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms # 56cb8480-1791-4990-8fc7-2cb98a10c207

CVE, Research URL: 56cb8480-1791-4990-8fc7-2cb98a10c207
Home page URL: Security reports for Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
Application: Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
Date: -
Research Description: Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms [cf7-salesforce] < 1.2.6 Multiple Plugins from CRM Perks - Reflected Cross-Site Scripting Numerous plugins from the CRM Perks vendor do not escape parameters before outputting them back in attributes in admin pages, leading to a Reflected Cross-Site Scripting issues executed in the context of a logged in administrator. It first started with an obvious XSS via the vx_debug GET parameter in 7 plugins, and an attempt was made to fix the issues by sanitising user input via sanitize_text_field(), which is not sufficient when outputting in attributes. All vendor's plugins were checked and 27 out of 30 were found to be affected by output being sanitised but not escaped. Timeline: August 2nd, 2021 - Details sent to vendor August 16th, 2021 - Escalated to WP due to unresponsive vendor August 24th, 2021 - Some new versions released, with insufficient fixes, still allowing for Cross-Site Scripting by injecting arbitrary attributes. Vendor was told to escape such data but argued about it. August 26th, 2021 - Public disclosure August 28th, 2021 - gf-infusionsoft 1.1.5 released, fixing the issue August 29th, 2021 - cf7-mailchimp 1.1.1, cf7-salesforce 1.2.6, cf7-constant-contact 1.1.0, cf7-infusionsoft 1.1.4, cf7-hubspot 1.2.0, cf7-insightly 1.0.9, cf7-zendesk 1.0.8, cf7-zoho 1.1.9, integration-for-contact-form-7-and-pipedrive 1.1.1 released, fixing the issue August 30th, 2021 - wp-gravity-forms-spreadsheets 1.1.1 released, fixing the issue September 1st, 2021 - contact-form-entries 1.2.2, gf-salesforce-crmperks 1.2.6, gf-zoho 1.1.6, gf-hubspot 1.0.9, gf-zendesk 1.0.8, cf7-active-campaign 1.0.4, gf-freshdesk 1.2.9, gf-dynamics-crm 1.0.8, gf-constant-contact 1.0.6, integration-for-gravity-forms-and-pipedrive 1.0.7, gf-insightly 1.0.7, woo-salesforce-plugin-crm-perks 1.5.9, woo-zoho 1.2.4, wp-hubspot-woocommerce 1.0.5, wp-infusionsoft-woocommerce 1.0.9, wp-woocommerce-quickbooks 1.1.9 released, fixing the issue
Affected versions: Min -, max -.
Status: vulnerable

Jun 14, 2025

Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms # CVE-2025-4659

CVE, Research URL: CVE-2025-4659
Home page URL: Security reports for Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
Application: Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms
Date: May 30, 2025
Research Description: The Integration for Salesforce and Contact Form 7, WPForms, Elementor, Formidable, Ninja Forms plugin for WordPress is vulnerable to Full Path Disclosure in all versions up to, and including, 1.4.4. This makes it possible for unauthenticated attackers to retrieve the full path of the web application, which can be used to aid other attacks. The information displayed is not useful on its own, and requires another vulnerability to be present for damage to an affected website.
Affected versions: Min -, max -.
Status: vulnerable